---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.14.0
  creationTimestamp: null
  name: ciliumclusterwidenetworkpolicies.cilium.io
spec:
  group: cilium.io
  names:
    categories:
    - cilium
    - ciliumpolicy
    kind: CiliumClusterwideNetworkPolicy
    listKind: CiliumClusterwideNetworkPolicyList
    plural: ciliumclusterwidenetworkpolicies
    shortNames:
    - ccnp
    singular: ciliumclusterwidenetworkpolicy
  scope: Cluster
  versions:
  - name: v2
    schema:
      openAPIV3Schema:
        description: CiliumClusterwideNetworkPolicy is a Kubernetes third-party resource
          with an modified version of CiliumNetworkPolicy which is cluster scoped
          rather than namespace scoped.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: Spec is the desired Cilium specific rule specification.
            oneOf:
            - properties:
                endpointSelector: {}
              required:
              - endpointSelector
            - properties:
                nodeSelector: {}
              required:
              - nodeSelector
            properties:
              description:
                description: Description is a free form string, it can be used by
                  the creator of the rule to store human readable explanation of the
                  purpose of this rule. Rules cannot be identified by comment.
                type: string
              egress:
                description: Egress is a list of EgressRule which are enforced at
                  egress. If omitted or empty, this rule does not apply at egress.
                items:
                  description: "EgressRule contains all rule types which can be applied
                    at egress, i.e. network traffic that originates inside the endpoint
                    and exits the endpoint selected by the endpointSelector. \n -
                    All members of this structure are optional. If omitted or empty,
                    the member will have no effect on the rule. \n - If multiple members
                    of the structure are specified, then all members must match in
                    order for the rule to take effect. The exception to this rule
                    is the ToRequires member; the effects of any Requires field in
                    any rule will apply to all other rules as well. \n - ToEndpoints,
                    ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually
                    exclusive. Only one of these members may be present within an
                    individual rule."
                  properties:
                    authentication:
                      description: Authentication is the required authentication type
                        for the allowed traffic, if any.
                      properties:
                        mode:
                          description: Mode is the required authentication mode for
                            the allowed traffic, if any.
                          enum:
                          - disabled
                          - required
                          - test-always-fail
                          type: string
                      required:
                      - mode
                      type: object
                    icmps:
                      description: "ICMPs is a list of ICMP rule identified by type
                        number which the endpoint subject to the rule is allowed to
                        connect to. \n Example: Any endpoint with the label \"app=httpd\"
                        is allowed to initiate type 8 ICMP connections."
                      items:
                        description: ICMPRule is a list of ICMP fields.
                        properties:
                          fields:
                            description: Fields is a list of ICMP fields.
                            items:
                              description: ICMPField is a ICMP field.
                              properties:
                                family:
                                  default: IPv4
                                  description: Family is a IP address version. Currently,
                                    we support `IPv4` and `IPv6`. `IPv4` is set as
                                    default.
                                  enum:
                                  - IPv4
                                  - IPv6
                                  type: string
                                type:
                                  description: Type is a ICMP-type. It should be 0-255
                                    (8bit).
                                  maximum: 255
                                  minimum: 0
                                  type: integer
                              required:
                              - type
                              type: object
                            type: array
                        type: object
                      type: array
                    toCIDR:
                      description: "ToCIDR is a list of IP blocks which the endpoint
                        subject to the rule is allowed to initiate connections. Only
                        connections destined for outside of the cluster and not targeting
                        the host will be subject to CIDR rules.  This will match on
                        the destination IP address of outgoing connections. Adding
                        a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs
                        is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
                        \n Example: Any endpoint with the label \"app=database-proxy\"
                        is allowed to initiate connections to 10.2.3.0/24"
                      items:
                        description: 'CIDR specifies a block of IP addresses. Example:
                          192.0.2.1/32'
                        pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                        type: string
                      type: array
                    toCIDRSet:
                      description: "ToCIDRSet is a list of IP blocks which the endpoint
                        subject to the rule is allowed to initiate connections to
                        in addition to connections which are allowed via ToEndpoints,
                        along with a list of subnets contained within their corresponding
                        IP block to which traffic should not be allowed. This will
                        match on the destination IP address of outgoing connections.
                        Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs
                        is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
                        \n Example: Any endpoint with the label \"app=database-proxy\"
                        is allowed to initiate connections to 10.2.3.0/24 except from
                        IPs in subnet 10.2.3.0/28."
                      items:
                        description: CIDRRule is a rule that specifies a CIDR prefix
                          to/from which outside communication  is allowed, along with
                          an optional list of subnets within that CIDR prefix to/from
                          which outside communication is not allowed.
                        oneOf:
                        - properties:
                            cidr: {}
                          required:
                          - cidr
                        - properties:
                            cidrGroupRef: {}
                          required:
                          - cidrGroupRef
                        properties:
                          cidr:
                            description: CIDR is a CIDR prefix / IP Block.
                            pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                            type: string
                          cidrGroupRef:
                            description: CIDRGroupRef is a reference to a CiliumCIDRGroup
                              object. A CiliumCIDRGroup contains a list of CIDRs that
                              the endpoint, subject to the rule, can (Ingress) or
                              cannot (IngressDeny) receive connections from.
                            maxLength: 253
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          except:
                            description: ExceptCIDRs is a list of IP blocks which
                              the endpoint subject to the rule is not allowed to initiate
                              connections to. These CIDR prefixes should be contained
                              within Cidr, using ExceptCIDRs together with CIDRGroupRef
                              is not supported yet. These exceptions are only applied
                              to the Cidr in this CIDRRule, and do not apply to any
                              other CIDR prefixes in any other CIDRRules.
                            items:
                              description: 'CIDR specifies a block of IP addresses.
                                Example: 192.0.2.1/32'
                              pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                              type: string
                            type: array
                        type: object
                      type: array
                    toEndpoints:
                      description: "ToEndpoints is a list of endpoints identified
                        by an EndpointSelector to which the endpoints subject to the
                        rule are allowed to communicate. \n Example: Any endpoint
                        with the label \"role=frontend\" can communicate with any
                        endpoint carrying the label \"role=backend\"."
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    toEntities:
                      description: ToEntities is a list of special entities to which
                        the endpoint subject to the rule is allowed to initiate connections.
                        Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`,
                        `init`, `health`,`unmanaged` and `all`.
                      items:
                        description: Entity specifies the class of receiver/sender
                          endpoints that do not have individual identities.  Entities
                          are used to describe "outside of cluster", "host", etc.
                        enum:
                        - all
                        - world
                        - cluster
                        - host
                        - init
                        - ingress
                        - unmanaged
                        - remote-node
                        - health
                        - none
                        - kube-apiserver
                        type: string
                      type: array
                    toFQDNs:
                      description: 'ToFQDN allows whitelisting DNS names in place
                        of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s
                        are added to the same EgressRule object as ToCIDRSet entries,
                        and behave accordingly. Any L4 and L7 rules within this EgressRule
                        will also apply to these IPs. The DNS -> IP mapping is re-resolved
                        periodically from within the cilium-agent, and the IPs in
                        the DNS response are effected in the policy for selected pods
                        as-is (i.e. the list of IPs is not modified in any way). Note:
                        An explicit rule to allow for DNS traffic is needed for the
                        pods, as ToFQDN counts as an egress rule and will enforce
                        egress policy when PolicyEnforcment=default. Note: If the
                        resolved IPs are IPs within the kubernetes cluster, the ToFQDN
                        rule will not apply to that IP. Note: ToFQDN cannot occur
                        in the same policy as other To* rules.'
                      items:
                        properties:
                          matchName:
                            description: MatchName matches literal DNS names. A trailing
                              "." is automatically added when missing.
                            pattern: ^([-a-zA-Z0-9_]+[.]?)+$
                            type: string
                          matchPattern:
                            description: "MatchPattern allows using wildcards to match
                              DNS names. All wildcards are case insensitive. The wildcards
                              are: - \"*\" matches 0 or more DNS valid characters,
                              and may occur anywhere in the pattern. As a special
                              case a \"*\" as the leftmost character, without a following
                              \".\" matches all subdomains as well as the name to
                              the right. A trailing \".\" is automatically added when
                              missing. \n Examples: `*.cilium.io` matches subomains
                              of cilium at that level www.cilium.io and blog.cilium.io
                              match, cilium.io and google.com do not `*cilium.io`
                              matches cilium.io and all subdomains ends with \"cilium.io\"
                              except those containing \".\" separator, subcilium.io
                              and sub-cilium.io match, www.cilium.io and blog.cilium.io
                              does not sub*.cilium.io matches subdomains of cilium
                              where the subdomain component begins with \"sub\" sub.cilium.io
                              and subdomain.cilium.io match, www.cilium.io, blog.cilium.io,
                              cilium.io and google.com do not"
                            pattern: ^([-a-zA-Z0-9_*]+[.]?)+$
                            type: string
                        type: object
                      type: array
                    toGroups:
                      description: "ToGroups is a directive that allows the integration
                        with multiple outside providers. Currently, only AWS is supported,
                        and the rule can select by multiple sub directives: \n Example:
                        toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
                      items:
                        description: ToGroups structure to store all kinds of new
                          integrations that needs a new derivative policy.
                        properties:
                          aws:
                            description: AWSGroup is an structure that can be used
                              to whitelisting information from AWS integration
                            properties:
                              labels:
                                additionalProperties:
                                  type: string
                                type: object
                              region:
                                type: string
                              securityGroupsIds:
                                items:
                                  type: string
                                type: array
                              securityGroupsNames:
                                items:
                                  type: string
                                type: array
                            type: object
                        type: object
                      type: array
                    toNodes:
                      description: ToNodes is a list of nodes identified by an EndpointSelector
                        to which endpoints subject to the rule is allowed to communicate.
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    toPorts:
                      description: "ToPorts is a list of destination ports identified
                        by port number and protocol which the endpoint subject to
                        the rule is allowed to connect to. \n Example: Any endpoint
                        with the label \"role=frontend\" is allowed to initiate connections
                        to destination port 8080/tcp"
                      items:
                        description: PortRule is a list of ports/protocol combinations
                          with optional Layer 7 rules which must be met.
                        properties:
                          listener:
                            description: listener specifies the name of a custom Envoy
                              listener to which this traffic should be redirected
                              to.
                            properties:
                              envoyConfig:
                                description: EnvoyConfig is a reference to the CEC
                                  or CCEC resource in which the listener is defined.
                                properties:
                                  kind:
                                    description: Kind is the resource type being referred
                                      to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig
                                      for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,
                                      respectively. The only case this is currently
                                      explicitly needed is when referring to a CiliumClusterwideEnvoyConfig
                                      from CiliumNetworkPolicy, as using a namespaced
                                      listener from a cluster scoped policy is not
                                      allowed.
                                    enum:
                                    - CiliumEnvoyConfig
                                    - CiliumClusterwideEnvoyConfig
                                    type: string
                                  name:
                                    description: Name is the resource name of the
                                      CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig
                                      where the listener is defined in.
                                    minLength: 1
                                    type: string
                                required:
                                - name
                                type: object
                              name:
                                description: Name is the name of the listener.
                                minLength: 1
                                type: string
                              priority:
                                description: Priority for this Listener that is used
                                  when multiple rules would apply different listeners
                                  to a policy map entry. Behavior of this is implementation
                                  dependent.
                                maximum: 100
                                minimum: 1
                                type: integer
                            required:
                            - envoyConfig
                            - name
                            type: object
                          originatingTLS:
                            description: OriginatingTLS is the TLS context for the
                              connections originated by the L7 proxy.  For egress
                              policy this specifies the client-side TLS parameters
                              for the upstream connection originating from the L7
                              proxy to the remote destination. For ingress policy
                              this specifies the client-side TLS parameters for the
                              connection from the L7 proxy to the local endpoint.
                            properties:
                              certificate:
                                description: Certificate is the file name or k8s secret
                                  item name for the certificate chain. If omitted,
                                  'tls.crt' is assumed, if it exists. If given, the
                                  item must exist.
                                type: string
                              privateKey:
                                description: PrivateKey is the file name or k8s secret
                                  item name for the private key matching the certificate
                                  chain. If omitted, 'tls.key' is assumed, if it exists.
                                  If given, the item must exist.
                                type: string
                              secret:
                                description: 'Secret is the secret that contains the
                                  certificates and private key for the TLS context.
                                  By default, Cilium will search in this secret for
                                  the following items: - ''ca.crt''  - Which represents
                                  the trusted CA to verify remote source. - ''tls.crt''
                                  - Which represents the public key certificate. -
                                  ''tls.key'' - Which represents the private key matching
                                  the public key certificate.'
                                properties:
                                  name:
                                    description: Name is the name of the secret.
                                    type: string
                                  namespace:
                                    description: Namespace is the namespace in which
                                      the secret exists. Context of use determines
                                      the default value if left out (e.g., "default").
                                    type: string
                                required:
                                - name
                                type: object
                              trustedCA:
                                description: TrustedCA is the file name or k8s secret
                                  item name for the trusted CA. If omitted, 'ca.crt'
                                  is assumed, if it exists. If given, the item must
                                  exist.
                                type: string
                            required:
                            - secret
                            type: object
                          ports:
                            description: Ports is a list of L4 port/protocol
                            items:
                              description: PortProtocol specifies an L4 port with
                                an optional transport protocol
                              properties:
                                port:
                                  description: Port is an L4 port number. For now
                                    the string will be strictly parsed as a single
                                    uint16. In the future, this field may support
                                    ranges in the form "1024-2048 Port can also be
                                    a port name, which must contain at least one [a-z],
                                    and may also contain [0-9] and '-' anywhere except
                                    adjacent to another '-' or in the beginning or
                                    the end.
                                  pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$
                                  type: string
                                protocol:
                                  description: "Protocol is the L4 protocol. If omitted
                                    or empty, any protocol matches. Accepted values:
                                    \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching
                                    on ICMP is not supported. \n Named port specified
                                    for a container may narrow this down, but may
                                    not contradict this."
                                  enum:
                                  - TCP
                                  - UDP
                                  - SCTP
                                  - ANY
                                  type: string
                              required:
                              - port
                              type: object
                            type: array
                          rules:
                            description: Rules is a list of additional port level
                              rules which must be met in order for the PortRule to
                              allow the traffic. If omitted or empty, no layer 7 rules
                              are enforced.
                            properties:
                              dns:
                                description: DNS-specific rules.
                                items:
                                  description: PortRuleDNS is a list of allowed DNS
                                    lookups.
                                  properties:
                                    matchName:
                                      description: MatchName matches literal DNS names.
                                        A trailing "." is automatically added when
                                        missing.
                                      pattern: ^([-a-zA-Z0-9_]+[.]?)+$
                                      type: string
                                    matchPattern:
                                      description: "MatchPattern allows using wildcards
                                        to match DNS names. All wildcards are case
                                        insensitive. The wildcards are: - \"*\" matches
                                        0 or more DNS valid characters, and may occur
                                        anywhere in the pattern. As a special case
                                        a \"*\" as the leftmost character, without
                                        a following \".\" matches all subdomains as
                                        well as the name to the right. A trailing
                                        \".\" is automatically added when missing.
                                        \n Examples: `*.cilium.io` matches subomains
                                        of cilium at that level www.cilium.io and
                                        blog.cilium.io match, cilium.io and google.com
                                        do not `*cilium.io` matches cilium.io and
                                        all subdomains ends with \"cilium.io\" except
                                        those containing \".\" separator, subcilium.io
                                        and sub-cilium.io match, www.cilium.io and
                                        blog.cilium.io does not sub*.cilium.io matches
                                        subdomains of cilium where the subdomain component
                                        begins with \"sub\" sub.cilium.io and subdomain.cilium.io
                                        match, www.cilium.io, blog.cilium.io, cilium.io
                                        and google.com do not"
                                      pattern: ^([-a-zA-Z0-9_*]+[.]?)+$
                                      type: string
                                  type: object
                                type: array
                              http:
                                description: HTTP specific rules.
                                items:
                                  description: "PortRuleHTTP is a list of HTTP protocol
                                    constraints. All fields are optional, if all fields
                                    are empty or missing, the rule does not have any
                                    effect. \n All fields of this type are extended
                                    POSIX regex as defined by IEEE Std 1003.1, (i.e
                                    this follows the egrep/unix syntax, not the perl
                                    syntax) matched against the path of an incoming
                                    request. Currently it can contain characters disallowed
                                    from the conventional \"path\" part of a URL as
                                    defined by RFC 3986."
                                  properties:
                                    headerMatches:
                                      description: HeaderMatches is a list of HTTP
                                        headers which must be present and match against
                                        the given values. Mismatch field can be used
                                        to specify what to do when there is no match.
                                      items:
                                        description: HeaderMatch extends the HeaderValue
                                          for matching requirement of a named header
                                          field against an immediate string, a secret
                                          value, or a regex.  If none of the optional
                                          fields is present, then the header value
                                          is not matched, only presence of the header
                                          is enough.
                                        properties:
                                          mismatch:
                                            description: Mismatch identifies what
                                              to do in case there is no match. The
                                              default is to drop the request. Otherwise
                                              the overall rule is still considered
                                              as matching, but the mismatches are
                                              logged in the access log.
                                            enum:
                                            - LOG
                                            - ADD
                                            - DELETE
                                            - REPLACE
                                            type: string
                                          name:
                                            description: Name identifies the header.
                                            type: string
                                          secret:
                                            description: Secret refers to a secret
                                              that contains the value to be matched
                                              against. The secret must only contain
                                              one entry. If the referred secret does
                                              not exist, and there is no "Value" specified,
                                              the match will fail.
                                            properties:
                                              name:
                                                description: Name is the name of the
                                                  secret.
                                                type: string
                                              namespace:
                                                description: Namespace is the namespace
                                                  in which the secret exists. Context
                                                  of use determines the default value
                                                  if left out (e.g., "default").
                                                type: string
                                            required:
                                            - name
                                            type: object
                                          value:
                                            description: Value matches the exact value
                                              of the header. Can be specified either
                                              alone or together with "Secret"; will
                                              be used as the header value if the secret
                                              can not be found in the latter case.
                                            type: string
                                        required:
                                        - name
                                        type: object
                                      type: array
                                    headers:
                                      description: Headers is a list of HTTP headers
                                        which must be present in the request. If omitted
                                        or empty, requests are allowed regardless
                                        of headers present.
                                      items:
                                        type: string
                                      type: array
                                    host:
                                      description: "Host is an extended POSIX regex
                                        matched against the host header of a request,
                                        e.g. \"foo.com\" \n If omitted or empty, the
                                        value of the host header is ignored."
                                      format: idn-hostname
                                      type: string
                                    method:
                                      description: "Method is an extended POSIX regex
                                        matched against the method of a request, e.g.
                                        \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\",
                                        ... \n If omitted or empty, all methods are
                                        allowed."
                                      type: string
                                    path:
                                      description: "Path is an extended POSIX regex
                                        matched against the path of a request. Currently
                                        it can contain characters disallowed from
                                        the conventional \"path\" part of a URL as
                                        defined by RFC 3986. \n If omitted or empty,
                                        all paths are all allowed."
                                      type: string
                                  type: object
                                type: array
                              kafka:
                                description: Kafka-specific rules.
                                items:
                                  description: PortRule is a list of Kafka protocol
                                    constraints. All fields are optional, if all fields
                                    are empty or missing, the rule will match all
                                    Kafka messages.
                                  properties:
                                    apiKey:
                                      description: "APIKey is a case-insensitive string
                                        matched against the key of a request, e.g.
                                        \"produce\", \"fetch\", \"createtopic\", \"deletetopic\",
                                        et al Reference: https://kafka.apache.org/protocol#protocol_api_keys
                                        \n If omitted or empty, and if Role is not
                                        specified, then all keys are allowed."
                                      type: string
                                    apiVersion:
                                      description: "APIVersion is the version matched
                                        against the api version of the Kafka message.
                                        If set, it has to be a string representing
                                        a positive integer. \n If omitted or empty,
                                        all versions are allowed."
                                      type: string
                                    clientID:
                                      description: "ClientID is the client identifier
                                        as provided in the request. \n From Kafka
                                        protocol documentation: This is a user supplied
                                        identifier for the client application. The
                                        user can use any identifier they like and
                                        it will be used when logging errors, monitoring
                                        aggregates, etc. For example, one might want
                                        to monitor not just the requests per second
                                        overall, but the number coming from each client
                                        application (each of which could reside on
                                        multiple servers). This id acts as a logical
                                        grouping across all requests from a particular
                                        client. \n If omitted or empty, all client
                                        identifiers are allowed."
                                      type: string
                                    role:
                                      description: "Role is a case-insensitive string
                                        and describes a group of API keys necessary
                                        to perform certain higher-level Kafka operations
                                        such as \"produce\" or \"consume\". A Role
                                        automatically expands into all APIKeys required
                                        to perform the specified higher-level operation.
                                        \n The following values are supported: - \"produce\":
                                        Allow producing to the topics specified in
                                        the rule - \"consume\": Allow consuming from
                                        the topics specified in the rule \n This field
                                        is incompatible with the APIKey field, i.e
                                        APIKey and Role cannot both be specified in
                                        the same rule. \n If omitted or empty, and
                                        if APIKey is not specified, then all keys
                                        are allowed."
                                      enum:
                                      - produce
                                      - consume
                                      type: string
                                    topic:
                                      description: "Topic is the topic name contained
                                        in the message. If a Kafka request contains
                                        multiple topics, then all topics must be allowed
                                        or the message will be rejected. \n This constraint
                                        is ignored if the matched request message
                                        type doesn't contain any topic. Maximum size
                                        of Topic can be 249 characters as per recent
                                        Kafka spec and allowed characters are a-z,
                                        A-Z, 0-9, -, . and _. \n Older Kafka versions
                                        had longer topic lengths of 255, but in Kafka
                                        0.10 version the length was changed from 255
                                        to 249. For compatibility reasons we are using
                                        255. \n If omitted or empty, all topics are
                                        allowed."
                                      maxLength: 255
                                      type: string
                                  type: object
                                type: array
                              l7:
                                description: Key-value pair rules.
                                items:
                                  additionalProperties:
                                    type: string
                                  description: PortRuleL7 is a list of key-value pairs
                                    interpreted by a L7 protocol as protocol constraints.
                                    All fields are optional, if all fields are empty
                                    or missing, the rule does not have any effect.
                                  type: object
                                type: array
                              l7proto:
                                description: Name of the L7 protocol for which the
                                  Key-value pair rules apply.
                                type: string
                            type: object
                          serverNames:
                            description: ServerNames is a list of allowed TLS SNI
                              values. If not empty, then TLS must be present and one
                              of the provided SNIs must be indicated in the TLS handshake.
                            items:
                              type: string
                            type: array
                          terminatingTLS:
                            description: TerminatingTLS is the TLS context for the
                              connection terminated by the L7 proxy.  For egress policy
                              this specifies the server-side TLS parameters to be
                              applied on the connections originated from the local
                              endpoint and terminated by the L7 proxy. For ingress
                              policy this specifies the server-side TLS parameters
                              to be applied on the connections originated from a remote
                              source and terminated by the L7 proxy.
                            properties:
                              certificate:
                                description: Certificate is the file name or k8s secret
                                  item name for the certificate chain. If omitted,
                                  'tls.crt' is assumed, if it exists. If given, the
                                  item must exist.
                                type: string
                              privateKey:
                                description: PrivateKey is the file name or k8s secret
                                  item name for the private key matching the certificate
                                  chain. If omitted, 'tls.key' is assumed, if it exists.
                                  If given, the item must exist.
                                type: string
                              secret:
                                description: 'Secret is the secret that contains the
                                  certificates and private key for the TLS context.
                                  By default, Cilium will search in this secret for
                                  the following items: - ''ca.crt''  - Which represents
                                  the trusted CA to verify remote source. - ''tls.crt''
                                  - Which represents the public key certificate. -
                                  ''tls.key'' - Which represents the private key matching
                                  the public key certificate.'
                                properties:
                                  name:
                                    description: Name is the name of the secret.
                                    type: string
                                  namespace:
                                    description: Namespace is the namespace in which
                                      the secret exists. Context of use determines
                                      the default value if left out (e.g., "default").
                                    type: string
                                required:
                                - name
                                type: object
                              trustedCA:
                                description: TrustedCA is the file name or k8s secret
                                  item name for the trusted CA. If omitted, 'ca.crt'
                                  is assumed, if it exists. If given, the item must
                                  exist.
                                type: string
                            required:
                            - secret
                            type: object
                        type: object
                      type: array
                    toRequires:
                      description: "ToRequires is a list of additional constraints
                        which must be met in order for the selected endpoints to be
                        able to connect to other endpoints. These additional constraints
                        do no by itself grant access privileges and must always be
                        accompanied with at least one matching ToEndpoints. \n Example:
                        Any Endpoint with the label \"team=A\" requires any endpoint
                        to which it communicates to also carry the label \"team=A\"."
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    toServices:
                      description: "ToServices is a list of services to which the
                        endpoint subject to the rule is allowed to initiate connections.
                        Currently Cilium only supports toServices for K8s services
                        without selectors. \n Example: Any endpoint with the label
                        \"app=backend-app\" is allowed to initiate connections to
                        all cidrs backing the \"external-service\" service"
                      items:
                        description: Service wraps around selectors for services
                        properties:
                          k8sService:
                            description: K8sService selects service by name and namespace
                              pair
                            properties:
                              namespace:
                                type: string
                              serviceName:
                                type: string
                            type: object
                          k8sServiceSelector:
                            description: K8sServiceSelector selects services by k8s
                              labels and namespace
                            properties:
                              namespace:
                                type: string
                              selector:
                                description: ServiceSelector is a label selector for
                                  k8s services
                                properties:
                                  matchExpressions:
                                    description: matchExpressions is a list of label
                                      selector requirements. The requirements are
                                      ANDed.
                                    items:
                                      description: A label selector requirement is
                                        a selector that contains values, a key, and
                                        an operator that relates the key and values.
                                      properties:
                                        key:
                                          description: key is the label key that the
                                            selector applies to.
                                          type: string
                                        operator:
                                          description: operator represents a key's
                                            relationship to a set of values. Valid
                                            operators are In, NotIn, Exists and DoesNotExist.
                                          enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                          type: string
                                        values:
                                          description: values is an array of string
                                            values. If the operator is In or NotIn,
                                            the values array must be non-empty. If
                                            the operator is Exists or DoesNotExist,
                                            the values array must be empty. This array
                                            is replaced during a strategic merge patch.
                                          items:
                                            type: string
                                          type: array
                                      required:
                                      - key
                                      - operator
                                      type: object
                                    type: array
                                  matchLabels:
                                    additionalProperties:
                                      description: MatchLabelsValue represents the
                                        value from the MatchLabels {key,value} pair.
                                      maxLength: 63
                                      pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                      type: string
                                    description: matchLabels is a map of {key,value}
                                      pairs. A single {key,value} in the matchLabels
                                      map is equivalent to an element of matchExpressions,
                                      whose key field is "key", the operator is "In",
                                      and the values array contains only "value".
                                      The requirements are ANDed.
                                    type: object
                                type: object
                            required:
                            - selector
                            type: object
                        type: object
                      type: array
                  type: object
                type: array
              egressDeny:
                description: EgressDeny is a list of EgressDenyRule which are enforced
                  at egress. Any rule inserted here will be denied regardless of the
                  allowed egress rules in the 'egress' field. If omitted or empty,
                  this rule does not apply at egress.
                items:
                  description: "EgressDenyRule contains all rule types which can be
                    applied at egress, i.e. network traffic that originates inside
                    the endpoint and exits the endpoint selected by the endpointSelector.
                    \n - All members of this structure are optional. If omitted or
                    empty, the member will have no effect on the rule. \n - If multiple
                    members of the structure are specified, then all members must
                    match in order for the rule to take effect. The exception to this
                    rule is the ToRequires member; the effects of any Requires field
                    in any rule will apply to all other rules as well. \n - ToEndpoints,
                    ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually
                    exclusive. Only one of these members may be present within an
                    individual rule."
                  properties:
                    icmps:
                      description: "ICMPs is a list of ICMP rule identified by type
                        number which the endpoint subject to the rule is not allowed
                        to connect to. \n Example: Any endpoint with the label \"app=httpd\"
                        is not allowed to initiate type 8 ICMP connections."
                      items:
                        description: ICMPRule is a list of ICMP fields.
                        properties:
                          fields:
                            description: Fields is a list of ICMP fields.
                            items:
                              description: ICMPField is a ICMP field.
                              properties:
                                family:
                                  default: IPv4
                                  description: Family is a IP address version. Currently,
                                    we support `IPv4` and `IPv6`. `IPv4` is set as
                                    default.
                                  enum:
                                  - IPv4
                                  - IPv6
                                  type: string
                                type:
                                  description: Type is a ICMP-type. It should be 0-255
                                    (8bit).
                                  maximum: 255
                                  minimum: 0
                                  type: integer
                              required:
                              - type
                              type: object
                            type: array
                        type: object
                      type: array
                    toCIDR:
                      description: "ToCIDR is a list of IP blocks which the endpoint
                        subject to the rule is allowed to initiate connections. Only
                        connections destined for outside of the cluster and not targeting
                        the host will be subject to CIDR rules.  This will match on
                        the destination IP address of outgoing connections. Adding
                        a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs
                        is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
                        \n Example: Any endpoint with the label \"app=database-proxy\"
                        is allowed to initiate connections to 10.2.3.0/24"
                      items:
                        description: 'CIDR specifies a block of IP addresses. Example:
                          192.0.2.1/32'
                        pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                        type: string
                      type: array
                    toCIDRSet:
                      description: "ToCIDRSet is a list of IP blocks which the endpoint
                        subject to the rule is allowed to initiate connections to
                        in addition to connections which are allowed via ToEndpoints,
                        along with a list of subnets contained within their corresponding
                        IP block to which traffic should not be allowed. This will
                        match on the destination IP address of outgoing connections.
                        Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs
                        is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
                        \n Example: Any endpoint with the label \"app=database-proxy\"
                        is allowed to initiate connections to 10.2.3.0/24 except from
                        IPs in subnet 10.2.3.0/28."
                      items:
                        description: CIDRRule is a rule that specifies a CIDR prefix
                          to/from which outside communication  is allowed, along with
                          an optional list of subnets within that CIDR prefix to/from
                          which outside communication is not allowed.
                        oneOf:
                        - properties:
                            cidr: {}
                          required:
                          - cidr
                        - properties:
                            cidrGroupRef: {}
                          required:
                          - cidrGroupRef
                        properties:
                          cidr:
                            description: CIDR is a CIDR prefix / IP Block.
                            pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                            type: string
                          cidrGroupRef:
                            description: CIDRGroupRef is a reference to a CiliumCIDRGroup
                              object. A CiliumCIDRGroup contains a list of CIDRs that
                              the endpoint, subject to the rule, can (Ingress) or
                              cannot (IngressDeny) receive connections from.
                            maxLength: 253
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          except:
                            description: ExceptCIDRs is a list of IP blocks which
                              the endpoint subject to the rule is not allowed to initiate
                              connections to. These CIDR prefixes should be contained
                              within Cidr, using ExceptCIDRs together with CIDRGroupRef
                              is not supported yet. These exceptions are only applied
                              to the Cidr in this CIDRRule, and do not apply to any
                              other CIDR prefixes in any other CIDRRules.
                            items:
                              description: 'CIDR specifies a block of IP addresses.
                                Example: 192.0.2.1/32'
                              pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                              type: string
                            type: array
                        type: object
                      type: array
                    toEndpoints:
                      description: "ToEndpoints is a list of endpoints identified
                        by an EndpointSelector to which the endpoints subject to the
                        rule are allowed to communicate. \n Example: Any endpoint
                        with the label \"role=frontend\" can communicate with any
                        endpoint carrying the label \"role=backend\"."
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    toEntities:
                      description: ToEntities is a list of special entities to which
                        the endpoint subject to the rule is allowed to initiate connections.
                        Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`,
                        `init`, `health`,`unmanaged` and `all`.
                      items:
                        description: Entity specifies the class of receiver/sender
                          endpoints that do not have individual identities.  Entities
                          are used to describe "outside of cluster", "host", etc.
                        enum:
                        - all
                        - world
                        - cluster
                        - host
                        - init
                        - ingress
                        - unmanaged
                        - remote-node
                        - health
                        - none
                        - kube-apiserver
                        type: string
                      type: array
                    toGroups:
                      description: "ToGroups is a directive that allows the integration
                        with multiple outside providers. Currently, only AWS is supported,
                        and the rule can select by multiple sub directives: \n Example:
                        toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
                      items:
                        description: ToGroups structure to store all kinds of new
                          integrations that needs a new derivative policy.
                        properties:
                          aws:
                            description: AWSGroup is an structure that can be used
                              to whitelisting information from AWS integration
                            properties:
                              labels:
                                additionalProperties:
                                  type: string
                                type: object
                              region:
                                type: string
                              securityGroupsIds:
                                items:
                                  type: string
                                type: array
                              securityGroupsNames:
                                items:
                                  type: string
                                type: array
                            type: object
                        type: object
                      type: array
                    toNodes:
                      description: ToNodes is a list of nodes identified by an EndpointSelector
                        to which endpoints subject to the rule is allowed to communicate.
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    toPorts:
                      description: "ToPorts is a list of destination ports identified
                        by port number and protocol which the endpoint subject to
                        the rule is not allowed to connect to. \n Example: Any endpoint
                        with the label \"role=frontend\" is not allowed to initiate
                        connections to destination port 8080/tcp"
                      items:
                        description: PortDenyRule is a list of ports/protocol that
                          should be used for deny policies. This structure lacks the
                          L7Rules since it's not supported in deny policies.
                        properties:
                          ports:
                            description: Ports is a list of L4 port/protocol
                            items:
                              description: PortProtocol specifies an L4 port with
                                an optional transport protocol
                              properties:
                                port:
                                  description: Port is an L4 port number. For now
                                    the string will be strictly parsed as a single
                                    uint16. In the future, this field may support
                                    ranges in the form "1024-2048 Port can also be
                                    a port name, which must contain at least one [a-z],
                                    and may also contain [0-9] and '-' anywhere except
                                    adjacent to another '-' or in the beginning or
                                    the end.
                                  pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$
                                  type: string
                                protocol:
                                  description: "Protocol is the L4 protocol. If omitted
                                    or empty, any protocol matches. Accepted values:
                                    \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching
                                    on ICMP is not supported. \n Named port specified
                                    for a container may narrow this down, but may
                                    not contradict this."
                                  enum:
                                  - TCP
                                  - UDP
                                  - SCTP
                                  - ANY
                                  type: string
                              required:
                              - port
                              type: object
                            type: array
                        type: object
                      type: array
                    toRequires:
                      description: "ToRequires is a list of additional constraints
                        which must be met in order for the selected endpoints to be
                        able to connect to other endpoints. These additional constraints
                        do no by itself grant access privileges and must always be
                        accompanied with at least one matching ToEndpoints. \n Example:
                        Any Endpoint with the label \"team=A\" requires any endpoint
                        to which it communicates to also carry the label \"team=A\"."
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    toServices:
                      description: "ToServices is a list of services to which the
                        endpoint subject to the rule is allowed to initiate connections.
                        Currently Cilium only supports toServices for K8s services
                        without selectors. \n Example: Any endpoint with the label
                        \"app=backend-app\" is allowed to initiate connections to
                        all cidrs backing the \"external-service\" service"
                      items:
                        description: Service wraps around selectors for services
                        properties:
                          k8sService:
                            description: K8sService selects service by name and namespace
                              pair
                            properties:
                              namespace:
                                type: string
                              serviceName:
                                type: string
                            type: object
                          k8sServiceSelector:
                            description: K8sServiceSelector selects services by k8s
                              labels and namespace
                            properties:
                              namespace:
                                type: string
                              selector:
                                description: ServiceSelector is a label selector for
                                  k8s services
                                properties:
                                  matchExpressions:
                                    description: matchExpressions is a list of label
                                      selector requirements. The requirements are
                                      ANDed.
                                    items:
                                      description: A label selector requirement is
                                        a selector that contains values, a key, and
                                        an operator that relates the key and values.
                                      properties:
                                        key:
                                          description: key is the label key that the
                                            selector applies to.
                                          type: string
                                        operator:
                                          description: operator represents a key's
                                            relationship to a set of values. Valid
                                            operators are In, NotIn, Exists and DoesNotExist.
                                          enum:
                                          - In
                                          - NotIn
                                          - Exists
                                          - DoesNotExist
                                          type: string
                                        values:
                                          description: values is an array of string
                                            values. If the operator is In or NotIn,
                                            the values array must be non-empty. If
                                            the operator is Exists or DoesNotExist,
                                            the values array must be empty. This array
                                            is replaced during a strategic merge patch.
                                          items:
                                            type: string
                                          type: array
                                      required:
                                      - key
                                      - operator
                                      type: object
                                    type: array
                                  matchLabels:
                                    additionalProperties:
                                      description: MatchLabelsValue represents the
                                        value from the MatchLabels {key,value} pair.
                                      maxLength: 63
                                      pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                      type: string
                                    description: matchLabels is a map of {key,value}
                                      pairs. A single {key,value} in the matchLabels
                                      map is equivalent to an element of matchExpressions,
                                      whose key field is "key", the operator is "In",
                                      and the values array contains only "value".
                                      The requirements are ANDed.
                                    type: object
                                type: object
                            required:
                            - selector
                            type: object
                        type: object
                      type: array
                  type: object
                type: array
              endpointSelector:
                description: EndpointSelector selects all endpoints which should be
                  subject to this rule. EndpointSelector and NodeSelector cannot be
                  both empty and are mutually exclusive.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
                      description: A label selector requirement is a selector that
                        contains values, a key, and an operator that relates the key
                        and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
                          description: operator represents a key's relationship to
                            a set of values. Valid operators are In, NotIn, Exists
                            and DoesNotExist.
                          enum:
                          - In
                          - NotIn
                          - Exists
                          - DoesNotExist
                          type: string
                        values:
                          description: values is an array of string values. If the
                            operator is In or NotIn, the values array must be non-empty.
                            If the operator is Exists or DoesNotExist, the values
                            array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
                          type: array
                      required:
                      - key
                      - operator
                      type: object
                    type: array
                  matchLabels:
                    additionalProperties:
                      description: MatchLabelsValue represents the value from the
                        MatchLabels {key,value} pair.
                      maxLength: 63
                      pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                      type: string
                    description: matchLabels is a map of {key,value} pairs. A single
                      {key,value} in the matchLabels map is equivalent to an element
                      of matchExpressions, whose key field is "key", the operator
                      is "In", and the values array contains only "value". The requirements
                      are ANDed.
                    type: object
                type: object
              ingress:
                description: Ingress is a list of IngressRule which are enforced at
                  ingress. If omitted or empty, this rule does not apply at ingress.
                items:
                  description: "IngressRule contains all rule types which can be applied
                    at ingress, i.e. network traffic that originates outside of the
                    endpoint and is entering the endpoint selected by the endpointSelector.
                    \n - All members of this structure are optional. If omitted or
                    empty, the member will have no effect on the rule. \n - If multiple
                    members are set, all of them need to match in order for the rule
                    to take effect. The exception to this rule is FromRequires field;
                    the effects of any Requires field in any rule will apply to all
                    other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet
                    and FromEntities are mutually exclusive. Only one of these members
                    may be present within an individual rule."
                  properties:
                    authentication:
                      description: Authentication is the required authentication type
                        for the allowed traffic, if any.
                      properties:
                        mode:
                          description: Mode is the required authentication mode for
                            the allowed traffic, if any.
                          enum:
                          - disabled
                          - required
                          - test-always-fail
                          type: string
                      required:
                      - mode
                      type: object
                    fromCIDR:
                      description: "FromCIDR is a list of IP blocks which the endpoint
                        subject to the rule is allowed to receive connections from.
                        Only connections which do *not* originate from the cluster
                        or from the local host are subject to CIDR rules. In order
                        to allow in-cluster connectivity, use the FromEndpoints field.
                        \ This will match on the source IP address of incoming connections.
                        Adding  a prefix into FromCIDR or into FromCIDRSet with no
                        ExcludeCIDRs is  equivalent.  Overlaps are allowed between
                        FromCIDR and FromCIDRSet. \n Example: Any endpoint with the
                        label \"app=my-legacy-pet\" is allowed to receive connections
                        from 10.3.9.1"
                      items:
                        description: 'CIDR specifies a block of IP addresses. Example:
                          192.0.2.1/32'
                        pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                        type: string
                      type: array
                    fromCIDRSet:
                      description: "FromCIDRSet is a list of IP blocks which the endpoint
                        subject to the rule is allowed to receive connections from
                        in addition to FromEndpoints, along with a list of subnets
                        contained within their corresponding IP block from which traffic
                        should not be allowed. This will match on the source IP address
                        of incoming connections. Adding a prefix into FromCIDR or
                        into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps
                        are allowed between FromCIDR and FromCIDRSet. \n Example:
                        Any endpoint with the label \"app=my-legacy-pet\" is allowed
                        to receive connections from 10.0.0.0/8 except from IPs in
                        subnet 10.96.0.0/12."
                      items:
                        description: CIDRRule is a rule that specifies a CIDR prefix
                          to/from which outside communication  is allowed, along with
                          an optional list of subnets within that CIDR prefix to/from
                          which outside communication is not allowed.
                        oneOf:
                        - properties:
                            cidr: {}
                          required:
                          - cidr
                        - properties:
                            cidrGroupRef: {}
                          required:
                          - cidrGroupRef
                        properties:
                          cidr:
                            description: CIDR is a CIDR prefix / IP Block.
                            pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                            type: string
                          cidrGroupRef:
                            description: CIDRGroupRef is a reference to a CiliumCIDRGroup
                              object. A CiliumCIDRGroup contains a list of CIDRs that
                              the endpoint, subject to the rule, can (Ingress) or
                              cannot (IngressDeny) receive connections from.
                            maxLength: 253
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          except:
                            description: ExceptCIDRs is a list of IP blocks which
                              the endpoint subject to the rule is not allowed to initiate
                              connections to. These CIDR prefixes should be contained
                              within Cidr, using ExceptCIDRs together with CIDRGroupRef
                              is not supported yet. These exceptions are only applied
                              to the Cidr in this CIDRRule, and do not apply to any
                              other CIDR prefixes in any other CIDRRules.
                            items:
                              description: 'CIDR specifies a block of IP addresses.
                                Example: 192.0.2.1/32'
                              pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                              type: string
                            type: array
                        type: object
                      type: array
                    fromEndpoints:
                      description: "FromEndpoints is a list of endpoints identified
                        by an EndpointSelector which are allowed to communicate with
                        the endpoint subject to the rule. \n Example: Any endpoint
                        with the label \"role=backend\" can be consumed by any endpoint
                        carrying the label \"role=frontend\"."
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    fromEntities:
                      description: FromEntities is a list of special entities which
                        the endpoint subject to the rule is allowed to receive connections
                        from. Supported entities are `world`, `cluster` and `host`
                      items:
                        description: Entity specifies the class of receiver/sender
                          endpoints that do not have individual identities.  Entities
                          are used to describe "outside of cluster", "host", etc.
                        enum:
                        - all
                        - world
                        - cluster
                        - host
                        - init
                        - ingress
                        - unmanaged
                        - remote-node
                        - health
                        - none
                        - kube-apiserver
                        type: string
                      type: array
                    fromNodes:
                      description: FromNodes is a list of nodes identified by an EndpointSelector
                        which are allowed to communicate with the endpoint subject
                        to the rule.
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    fromRequires:
                      description: "FromRequires is a list of additional constraints
                        which must be met in order for the selected endpoints to be
                        reachable. These additional constraints do no by itself grant
                        access privileges and must always be accompanied with at least
                        one matching FromEndpoints. \n Example: Any Endpoint with
                        the label \"team=A\" requires consuming endpoint to also carry
                        the label \"team=A\"."
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    icmps:
                      description: "ICMPs is a list of ICMP rule identified by type
                        number which the endpoint subject to the rule is allowed to
                        receive connections on. \n Example: Any endpoint with the
                        label \"app=httpd\" can only accept incoming type 8 ICMP connections."
                      items:
                        description: ICMPRule is a list of ICMP fields.
                        properties:
                          fields:
                            description: Fields is a list of ICMP fields.
                            items:
                              description: ICMPField is a ICMP field.
                              properties:
                                family:
                                  default: IPv4
                                  description: Family is a IP address version. Currently,
                                    we support `IPv4` and `IPv6`. `IPv4` is set as
                                    default.
                                  enum:
                                  - IPv4
                                  - IPv6
                                  type: string
                                type:
                                  description: Type is a ICMP-type. It should be 0-255
                                    (8bit).
                                  maximum: 255
                                  minimum: 0
                                  type: integer
                              required:
                              - type
                              type: object
                            type: array
                        type: object
                      type: array
                    toPorts:
                      description: "ToPorts is a list of destination ports identified
                        by port number and protocol which the endpoint subject to
                        the rule is allowed to receive connections on. \n Example:
                        Any endpoint with the label \"app=httpd\" can only accept
                        incoming connections on port 80/tcp."
                      items:
                        description: PortRule is a list of ports/protocol combinations
                          with optional Layer 7 rules which must be met.
                        properties:
                          listener:
                            description: listener specifies the name of a custom Envoy
                              listener to which this traffic should be redirected
                              to.
                            properties:
                              envoyConfig:
                                description: EnvoyConfig is a reference to the CEC
                                  or CCEC resource in which the listener is defined.
                                properties:
                                  kind:
                                    description: Kind is the resource type being referred
                                      to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig
                                      for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,
                                      respectively. The only case this is currently
                                      explicitly needed is when referring to a CiliumClusterwideEnvoyConfig
                                      from CiliumNetworkPolicy, as using a namespaced
                                      listener from a cluster scoped policy is not
                                      allowed.
                                    enum:
                                    - CiliumEnvoyConfig
                                    - CiliumClusterwideEnvoyConfig
                                    type: string
                                  name:
                                    description: Name is the resource name of the
                                      CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig
                                      where the listener is defined in.
                                    minLength: 1
                                    type: string
                                required:
                                - name
                                type: object
                              name:
                                description: Name is the name of the listener.
                                minLength: 1
                                type: string
                              priority:
                                description: Priority for this Listener that is used
                                  when multiple rules would apply different listeners
                                  to a policy map entry. Behavior of this is implementation
                                  dependent.
                                maximum: 100
                                minimum: 1
                                type: integer
                            required:
                            - envoyConfig
                            - name
                            type: object
                          originatingTLS:
                            description: OriginatingTLS is the TLS context for the
                              connections originated by the L7 proxy.  For egress
                              policy this specifies the client-side TLS parameters
                              for the upstream connection originating from the L7
                              proxy to the remote destination. For ingress policy
                              this specifies the client-side TLS parameters for the
                              connection from the L7 proxy to the local endpoint.
                            properties:
                              certificate:
                                description: Certificate is the file name or k8s secret
                                  item name for the certificate chain. If omitted,
                                  'tls.crt' is assumed, if it exists. If given, the
                                  item must exist.
                                type: string
                              privateKey:
                                description: PrivateKey is the file name or k8s secret
                                  item name for the private key matching the certificate
                                  chain. If omitted, 'tls.key' is assumed, if it exists.
                                  If given, the item must exist.
                                type: string
                              secret:
                                description: 'Secret is the secret that contains the
                                  certificates and private key for the TLS context.
                                  By default, Cilium will search in this secret for
                                  the following items: - ''ca.crt''  - Which represents
                                  the trusted CA to verify remote source. - ''tls.crt''
                                  - Which represents the public key certificate. -
                                  ''tls.key'' - Which represents the private key matching
                                  the public key certificate.'
                                properties:
                                  name:
                                    description: Name is the name of the secret.
                                    type: string
                                  namespace:
                                    description: Namespace is the namespace in which
                                      the secret exists. Context of use determines
                                      the default value if left out (e.g., "default").
                                    type: string
                                required:
                                - name
                                type: object
                              trustedCA:
                                description: TrustedCA is the file name or k8s secret
                                  item name for the trusted CA. If omitted, 'ca.crt'
                                  is assumed, if it exists. If given, the item must
                                  exist.
                                type: string
                            required:
                            - secret
                            type: object
                          ports:
                            description: Ports is a list of L4 port/protocol
                            items:
                              description: PortProtocol specifies an L4 port with
                                an optional transport protocol
                              properties:
                                port:
                                  description: Port is an L4 port number. For now
                                    the string will be strictly parsed as a single
                                    uint16. In the future, this field may support
                                    ranges in the form "1024-2048 Port can also be
                                    a port name, which must contain at least one [a-z],
                                    and may also contain [0-9] and '-' anywhere except
                                    adjacent to another '-' or in the beginning or
                                    the end.
                                  pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$
                                  type: string
                                protocol:
                                  description: "Protocol is the L4 protocol. If omitted
                                    or empty, any protocol matches. Accepted values:
                                    \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching
                                    on ICMP is not supported. \n Named port specified
                                    for a container may narrow this down, but may
                                    not contradict this."
                                  enum:
                                  - TCP
                                  - UDP
                                  - SCTP
                                  - ANY
                                  type: string
                              required:
                              - port
                              type: object
                            type: array
                          rules:
                            description: Rules is a list of additional port level
                              rules which must be met in order for the PortRule to
                              allow the traffic. If omitted or empty, no layer 7 rules
                              are enforced.
                            properties:
                              dns:
                                description: DNS-specific rules.
                                items:
                                  description: PortRuleDNS is a list of allowed DNS
                                    lookups.
                                  properties:
                                    matchName:
                                      description: MatchName matches literal DNS names.
                                        A trailing "." is automatically added when
                                        missing.
                                      pattern: ^([-a-zA-Z0-9_]+[.]?)+$
                                      type: string
                                    matchPattern:
                                      description: "MatchPattern allows using wildcards
                                        to match DNS names. All wildcards are case
                                        insensitive. The wildcards are: - \"*\" matches
                                        0 or more DNS valid characters, and may occur
                                        anywhere in the pattern. As a special case
                                        a \"*\" as the leftmost character, without
                                        a following \".\" matches all subdomains as
                                        well as the name to the right. A trailing
                                        \".\" is automatically added when missing.
                                        \n Examples: `*.cilium.io` matches subomains
                                        of cilium at that level www.cilium.io and
                                        blog.cilium.io match, cilium.io and google.com
                                        do not `*cilium.io` matches cilium.io and
                                        all subdomains ends with \"cilium.io\" except
                                        those containing \".\" separator, subcilium.io
                                        and sub-cilium.io match, www.cilium.io and
                                        blog.cilium.io does not sub*.cilium.io matches
                                        subdomains of cilium where the subdomain component
                                        begins with \"sub\" sub.cilium.io and subdomain.cilium.io
                                        match, www.cilium.io, blog.cilium.io, cilium.io
                                        and google.com do not"
                                      pattern: ^([-a-zA-Z0-9_*]+[.]?)+$
                                      type: string
                                  type: object
                                type: array
                              http:
                                description: HTTP specific rules.
                                items:
                                  description: "PortRuleHTTP is a list of HTTP protocol
                                    constraints. All fields are optional, if all fields
                                    are empty or missing, the rule does not have any
                                    effect. \n All fields of this type are extended
                                    POSIX regex as defined by IEEE Std 1003.1, (i.e
                                    this follows the egrep/unix syntax, not the perl
                                    syntax) matched against the path of an incoming
                                    request. Currently it can contain characters disallowed
                                    from the conventional \"path\" part of a URL as
                                    defined by RFC 3986."
                                  properties:
                                    headerMatches:
                                      description: HeaderMatches is a list of HTTP
                                        headers which must be present and match against
                                        the given values. Mismatch field can be used
                                        to specify what to do when there is no match.
                                      items:
                                        description: HeaderMatch extends the HeaderValue
                                          for matching requirement of a named header
                                          field against an immediate string, a secret
                                          value, or a regex.  If none of the optional
                                          fields is present, then the header value
                                          is not matched, only presence of the header
                                          is enough.
                                        properties:
                                          mismatch:
                                            description: Mismatch identifies what
                                              to do in case there is no match. The
                                              default is to drop the request. Otherwise
                                              the overall rule is still considered
                                              as matching, but the mismatches are
                                              logged in the access log.
                                            enum:
                                            - LOG
                                            - ADD
                                            - DELETE
                                            - REPLACE
                                            type: string
                                          name:
                                            description: Name identifies the header.
                                            type: string
                                          secret:
                                            description: Secret refers to a secret
                                              that contains the value to be matched
                                              against. The secret must only contain
                                              one entry. If the referred secret does
                                              not exist, and there is no "Value" specified,
                                              the match will fail.
                                            properties:
                                              name:
                                                description: Name is the name of the
                                                  secret.
                                                type: string
                                              namespace:
                                                description: Namespace is the namespace
                                                  in which the secret exists. Context
                                                  of use determines the default value
                                                  if left out (e.g., "default").
                                                type: string
                                            required:
                                            - name
                                            type: object
                                          value:
                                            description: Value matches the exact value
                                              of the header. Can be specified either
                                              alone or together with "Secret"; will
                                              be used as the header value if the secret
                                              can not be found in the latter case.
                                            type: string
                                        required:
                                        - name
                                        type: object
                                      type: array
                                    headers:
                                      description: Headers is a list of HTTP headers
                                        which must be present in the request. If omitted
                                        or empty, requests are allowed regardless
                                        of headers present.
                                      items:
                                        type: string
                                      type: array
                                    host:
                                      description: "Host is an extended POSIX regex
                                        matched against the host header of a request,
                                        e.g. \"foo.com\" \n If omitted or empty, the
                                        value of the host header is ignored."
                                      format: idn-hostname
                                      type: string
                                    method:
                                      description: "Method is an extended POSIX regex
                                        matched against the method of a request, e.g.
                                        \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\",
                                        ... \n If omitted or empty, all methods are
                                        allowed."
                                      type: string
                                    path:
                                      description: "Path is an extended POSIX regex
                                        matched against the path of a request. Currently
                                        it can contain characters disallowed from
                                        the conventional \"path\" part of a URL as
                                        defined by RFC 3986. \n If omitted or empty,
                                        all paths are all allowed."
                                      type: string
                                  type: object
                                type: array
                              kafka:
                                description: Kafka-specific rules.
                                items:
                                  description: PortRule is a list of Kafka protocol
                                    constraints. All fields are optional, if all fields
                                    are empty or missing, the rule will match all
                                    Kafka messages.
                                  properties:
                                    apiKey:
                                      description: "APIKey is a case-insensitive string
                                        matched against the key of a request, e.g.
                                        \"produce\", \"fetch\", \"createtopic\", \"deletetopic\",
                                        et al Reference: https://kafka.apache.org/protocol#protocol_api_keys
                                        \n If omitted or empty, and if Role is not
                                        specified, then all keys are allowed."
                                      type: string
                                    apiVersion:
                                      description: "APIVersion is the version matched
                                        against the api version of the Kafka message.
                                        If set, it has to be a string representing
                                        a positive integer. \n If omitted or empty,
                                        all versions are allowed."
                                      type: string
                                    clientID:
                                      description: "ClientID is the client identifier
                                        as provided in the request. \n From Kafka
                                        protocol documentation: This is a user supplied
                                        identifier for the client application. The
                                        user can use any identifier they like and
                                        it will be used when logging errors, monitoring
                                        aggregates, etc. For example, one might want
                                        to monitor not just the requests per second
                                        overall, but the number coming from each client
                                        application (each of which could reside on
                                        multiple servers). This id acts as a logical
                                        grouping across all requests from a particular
                                        client. \n If omitted or empty, all client
                                        identifiers are allowed."
                                      type: string
                                    role:
                                      description: "Role is a case-insensitive string
                                        and describes a group of API keys necessary
                                        to perform certain higher-level Kafka operations
                                        such as \"produce\" or \"consume\". A Role
                                        automatically expands into all APIKeys required
                                        to perform the specified higher-level operation.
                                        \n The following values are supported: - \"produce\":
                                        Allow producing to the topics specified in
                                        the rule - \"consume\": Allow consuming from
                                        the topics specified in the rule \n This field
                                        is incompatible with the APIKey field, i.e
                                        APIKey and Role cannot both be specified in
                                        the same rule. \n If omitted or empty, and
                                        if APIKey is not specified, then all keys
                                        are allowed."
                                      enum:
                                      - produce
                                      - consume
                                      type: string
                                    topic:
                                      description: "Topic is the topic name contained
                                        in the message. If a Kafka request contains
                                        multiple topics, then all topics must be allowed
                                        or the message will be rejected. \n This constraint
                                        is ignored if the matched request message
                                        type doesn't contain any topic. Maximum size
                                        of Topic can be 249 characters as per recent
                                        Kafka spec and allowed characters are a-z,
                                        A-Z, 0-9, -, . and _. \n Older Kafka versions
                                        had longer topic lengths of 255, but in Kafka
                                        0.10 version the length was changed from 255
                                        to 249. For compatibility reasons we are using
                                        255. \n If omitted or empty, all topics are
                                        allowed."
                                      maxLength: 255
                                      type: string
                                  type: object
                                type: array
                              l7:
                                description: Key-value pair rules.
                                items:
                                  additionalProperties:
                                    type: string
                                  description: PortRuleL7 is a list of key-value pairs
                                    interpreted by a L7 protocol as protocol constraints.
                                    All fields are optional, if all fields are empty
                                    or missing, the rule does not have any effect.
                                  type: object
                                type: array
                              l7proto:
                                description: Name of the L7 protocol for which the
                                  Key-value pair rules apply.
                                type: string
                            type: object
                          serverNames:
                            description: ServerNames is a list of allowed TLS SNI
                              values. If not empty, then TLS must be present and one
                              of the provided SNIs must be indicated in the TLS handshake.
                            items:
                              type: string
                            type: array
                          terminatingTLS:
                            description: TerminatingTLS is the TLS context for the
                              connection terminated by the L7 proxy.  For egress policy
                              this specifies the server-side TLS parameters to be
                              applied on the connections originated from the local
                              endpoint and terminated by the L7 proxy. For ingress
                              policy this specifies the server-side TLS parameters
                              to be applied on the connections originated from a remote
                              source and terminated by the L7 proxy.
                            properties:
                              certificate:
                                description: Certificate is the file name or k8s secret
                                  item name for the certificate chain. If omitted,
                                  'tls.crt' is assumed, if it exists. If given, the
                                  item must exist.
                                type: string
                              privateKey:
                                description: PrivateKey is the file name or k8s secret
                                  item name for the private key matching the certificate
                                  chain. If omitted, 'tls.key' is assumed, if it exists.
                                  If given, the item must exist.
                                type: string
                              secret:
                                description: 'Secret is the secret that contains the
                                  certificates and private key for the TLS context.
                                  By default, Cilium will search in this secret for
                                  the following items: - ''ca.crt''  - Which represents
                                  the trusted CA to verify remote source. - ''tls.crt''
                                  - Which represents the public key certificate. -
                                  ''tls.key'' - Which represents the private key matching
                                  the public key certificate.'
                                properties:
                                  name:
                                    description: Name is the name of the secret.
                                    type: string
                                  namespace:
                                    description: Namespace is the namespace in which
                                      the secret exists. Context of use determines
                                      the default value if left out (e.g., "default").
                                    type: string
                                required:
                                - name
                                type: object
                              trustedCA:
                                description: TrustedCA is the file name or k8s secret
                                  item name for the trusted CA. If omitted, 'ca.crt'
                                  is assumed, if it exists. If given, the item must
                                  exist.
                                type: string
                            required:
                            - secret
                            type: object
                        type: object
                      type: array
                  type: object
                type: array
              ingressDeny:
                description: IngressDeny is a list of IngressDenyRule which are enforced
                  at ingress. Any rule inserted here will be denied regardless of
                  the allowed ingress rules in the 'ingress' field. If omitted or
                  empty, this rule does not apply at ingress.
                items:
                  description: "IngressDenyRule contains all rule types which can
                    be applied at ingress, i.e. network traffic that originates outside
                    of the endpoint and is entering the endpoint selected by the endpointSelector.
                    \n - All members of this structure are optional. If omitted or
                    empty, the member will have no effect on the rule. \n - If multiple
                    members are set, all of them need to match in order for the rule
                    to take effect. The exception to this rule is FromRequires field;
                    the effects of any Requires field in any rule will apply to all
                    other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet
                    and FromEntities are mutually exclusive. Only one of these members
                    may be present within an individual rule."
                  properties:
                    fromCIDR:
                      description: "FromCIDR is a list of IP blocks which the endpoint
                        subject to the rule is allowed to receive connections from.
                        Only connections which do *not* originate from the cluster
                        or from the local host are subject to CIDR rules. In order
                        to allow in-cluster connectivity, use the FromEndpoints field.
                        \ This will match on the source IP address of incoming connections.
                        Adding  a prefix into FromCIDR or into FromCIDRSet with no
                        ExcludeCIDRs is  equivalent.  Overlaps are allowed between
                        FromCIDR and FromCIDRSet. \n Example: Any endpoint with the
                        label \"app=my-legacy-pet\" is allowed to receive connections
                        from 10.3.9.1"
                      items:
                        description: 'CIDR specifies a block of IP addresses. Example:
                          192.0.2.1/32'
                        pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                        type: string
                      type: array
                    fromCIDRSet:
                      description: "FromCIDRSet is a list of IP blocks which the endpoint
                        subject to the rule is allowed to receive connections from
                        in addition to FromEndpoints, along with a list of subnets
                        contained within their corresponding IP block from which traffic
                        should not be allowed. This will match on the source IP address
                        of incoming connections. Adding a prefix into FromCIDR or
                        into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps
                        are allowed between FromCIDR and FromCIDRSet. \n Example:
                        Any endpoint with the label \"app=my-legacy-pet\" is allowed
                        to receive connections from 10.0.0.0/8 except from IPs in
                        subnet 10.96.0.0/12."
                      items:
                        description: CIDRRule is a rule that specifies a CIDR prefix
                          to/from which outside communication  is allowed, along with
                          an optional list of subnets within that CIDR prefix to/from
                          which outside communication is not allowed.
                        oneOf:
                        - properties:
                            cidr: {}
                          required:
                          - cidr
                        - properties:
                            cidrGroupRef: {}
                          required:
                          - cidrGroupRef
                        properties:
                          cidr:
                            description: CIDR is a CIDR prefix / IP Block.
                            pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                            type: string
                          cidrGroupRef:
                            description: CIDRGroupRef is a reference to a CiliumCIDRGroup
                              object. A CiliumCIDRGroup contains a list of CIDRs that
                              the endpoint, subject to the rule, can (Ingress) or
                              cannot (IngressDeny) receive connections from.
                            maxLength: 253
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          except:
                            description: ExceptCIDRs is a list of IP blocks which
                              the endpoint subject to the rule is not allowed to initiate
                              connections to. These CIDR prefixes should be contained
                              within Cidr, using ExceptCIDRs together with CIDRGroupRef
                              is not supported yet. These exceptions are only applied
                              to the Cidr in this CIDRRule, and do not apply to any
                              other CIDR prefixes in any other CIDRRules.
                            items:
                              description: 'CIDR specifies a block of IP addresses.
                                Example: 192.0.2.1/32'
                              pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                              type: string
                            type: array
                        type: object
                      type: array
                    fromEndpoints:
                      description: "FromEndpoints is a list of endpoints identified
                        by an EndpointSelector which are allowed to communicate with
                        the endpoint subject to the rule. \n Example: Any endpoint
                        with the label \"role=backend\" can be consumed by any endpoint
                        carrying the label \"role=frontend\"."
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    fromEntities:
                      description: FromEntities is a list of special entities which
                        the endpoint subject to the rule is allowed to receive connections
                        from. Supported entities are `world`, `cluster` and `host`
                      items:
                        description: Entity specifies the class of receiver/sender
                          endpoints that do not have individual identities.  Entities
                          are used to describe "outside of cluster", "host", etc.
                        enum:
                        - all
                        - world
                        - cluster
                        - host
                        - init
                        - ingress
                        - unmanaged
                        - remote-node
                        - health
                        - none
                        - kube-apiserver
                        type: string
                      type: array
                    fromNodes:
                      description: FromNodes is a list of nodes identified by an EndpointSelector
                        which are allowed to communicate with the endpoint subject
                        to the rule.
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    fromRequires:
                      description: "FromRequires is a list of additional constraints
                        which must be met in order for the selected endpoints to be
                        reachable. These additional constraints do no by itself grant
                        access privileges and must always be accompanied with at least
                        one matching FromEndpoints. \n Example: Any Endpoint with
                        the label \"team=A\" requires consuming endpoint to also carry
                        the label \"team=A\"."
                      items:
                        description: EndpointSelector is a wrapper for k8s LabelSelector.
                        properties:
                          matchExpressions:
                            description: matchExpressions is a list of label selector
                              requirements. The requirements are ANDed.
                            items:
                              description: A label selector requirement is a selector
                                that contains values, a key, and an operator that
                                relates the key and values.
                              properties:
                                key:
                                  description: key is the label key that the selector
                                    applies to.
                                  type: string
                                operator:
                                  description: operator represents a key's relationship
                                    to a set of values. Valid operators are In, NotIn,
                                    Exists and DoesNotExist.
                                  enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                  type: string
                                values:
                                  description: values is an array of string values.
                                    If the operator is In or NotIn, the values array
                                    must be non-empty. If the operator is Exists or
                                    DoesNotExist, the values array must be empty.
                                    This array is replaced during a strategic merge
                                    patch.
                                  items:
                                    type: string
                                  type: array
                              required:
                              - key
                              - operator
                              type: object
                            type: array
                          matchLabels:
                            additionalProperties:
                              description: MatchLabelsValue represents the value from
                                the MatchLabels {key,value} pair.
                              maxLength: 63
                              pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                              type: string
                            description: matchLabels is a map of {key,value} pairs.
                              A single {key,value} in the matchLabels map is equivalent
                              to an element of matchExpressions, whose key field is
                              "key", the operator is "In", and the values array contains
                              only "value". The requirements are ANDed.
                            type: object
                        type: object
                      type: array
                    icmps:
                      description: "ICMPs is a list of ICMP rule identified by type
                        number which the endpoint subject to the rule is not allowed
                        to receive connections on. \n Example: Any endpoint with the
                        label \"app=httpd\" can not accept incoming type 8 ICMP connections."
                      items:
                        description: ICMPRule is a list of ICMP fields.
                        properties:
                          fields:
                            description: Fields is a list of ICMP fields.
                            items:
                              description: ICMPField is a ICMP field.
                              properties:
                                family:
                                  default: IPv4
                                  description: Family is a IP address version. Currently,
                                    we support `IPv4` and `IPv6`. `IPv4` is set as
                                    default.
                                  enum:
                                  - IPv4
                                  - IPv6
                                  type: string
                                type:
                                  description: Type is a ICMP-type. It should be 0-255
                                    (8bit).
                                  maximum: 255
                                  minimum: 0
                                  type: integer
                              required:
                              - type
                              type: object
                            type: array
                        type: object
                      type: array
                    toPorts:
                      description: "ToPorts is a list of destination ports identified
                        by port number and protocol which the endpoint subject to
                        the rule is not allowed to receive connections on. \n Example:
                        Any endpoint with the label \"app=httpd\" can not accept incoming
                        connections on port 80/tcp."
                      items:
                        description: PortDenyRule is a list of ports/protocol that
                          should be used for deny policies. This structure lacks the
                          L7Rules since it's not supported in deny policies.
                        properties:
                          ports:
                            description: Ports is a list of L4 port/protocol
                            items:
                              description: PortProtocol specifies an L4 port with
                                an optional transport protocol
                              properties:
                                port:
                                  description: Port is an L4 port number. For now
                                    the string will be strictly parsed as a single
                                    uint16. In the future, this field may support
                                    ranges in the form "1024-2048 Port can also be
                                    a port name, which must contain at least one [a-z],
                                    and may also contain [0-9] and '-' anywhere except
                                    adjacent to another '-' or in the beginning or
                                    the end.
                                  pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$
                                  type: string
                                protocol:
                                  description: "Protocol is the L4 protocol. If omitted
                                    or empty, any protocol matches. Accepted values:
                                    \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching
                                    on ICMP is not supported. \n Named port specified
                                    for a container may narrow this down, but may
                                    not contradict this."
                                  enum:
                                  - TCP
                                  - UDP
                                  - SCTP
                                  - ANY
                                  type: string
                              required:
                              - port
                              type: object
                            type: array
                        type: object
                      type: array
                  type: object
                type: array
              labels:
                description: Labels is a list of optional strings which can be used
                  to re-identify the rule or to store metadata. It is possible to
                  lookup or delete strings based on labels. Labels are not required
                  to be unique, multiple rules can have overlapping or identical labels.
                items:
                  description: Label is the Cilium's representation of a container
                    label.
                  properties:
                    key:
                      type: string
                    source:
                      description: 'Source can be one of the above values (e.g.: LabelSourceContainer).'
                      type: string
                    value:
                      type: string
                  required:
                  - key
                  type: object
                type: array
              nodeSelector:
                description: NodeSelector selects all nodes which should be subject
                  to this rule. EndpointSelector and NodeSelector cannot be both empty
                  and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
                      description: A label selector requirement is a selector that
                        contains values, a key, and an operator that relates the key
                        and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
                          description: operator represents a key's relationship to
                            a set of values. Valid operators are In, NotIn, Exists
                            and DoesNotExist.
                          enum:
                          - In
                          - NotIn
                          - Exists
                          - DoesNotExist
                          type: string
                        values:
                          description: values is an array of string values. If the
                            operator is In or NotIn, the values array must be non-empty.
                            If the operator is Exists or DoesNotExist, the values
                            array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
                          type: array
                      required:
                      - key
                      - operator
                      type: object
                    type: array
                  matchLabels:
                    additionalProperties:
                      description: MatchLabelsValue represents the value from the
                        MatchLabels {key,value} pair.
                      maxLength: 63
                      pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                      type: string
                    description: matchLabels is a map of {key,value} pairs. A single
                      {key,value} in the matchLabels map is equivalent to an element
                      of matchExpressions, whose key field is "key", the operator
                      is "In", and the values array contains only "value". The requirements
                      are ANDed.
                    type: object
                type: object
            type: object
          specs:
            description: Specs is a list of desired Cilium specific rule specification.
            items:
              description: "Rule is a policy rule which must be applied to all endpoints
                which match the labels contained in the endpointSelector \n Each rule
                is split into an ingress section which contains all rules applicable
                at ingress, and an egress section applicable at egress. For rule types
                such as `L4Rule` and `CIDR` which can be applied at both ingress and
                egress, both ingress and egress side have to either specifically allow
                the connection or one side has to be omitted. \n Either ingress, egress,
                or both can be provided. If both ingress and egress are omitted, the
                rule has no effect."
              oneOf:
              - properties:
                  endpointSelector: {}
                required:
                - endpointSelector
              - properties:
                  nodeSelector: {}
                required:
                - nodeSelector
              properties:
                description:
                  description: Description is a free form string, it can be used by
                    the creator of the rule to store human readable explanation of
                    the purpose of this rule. Rules cannot be identified by comment.
                  type: string
                egress:
                  description: Egress is a list of EgressRule which are enforced at
                    egress. If omitted or empty, this rule does not apply at egress.
                  items:
                    description: "EgressRule contains all rule types which can be
                      applied at egress, i.e. network traffic that originates inside
                      the endpoint and exits the endpoint selected by the endpointSelector.
                      \n - All members of this structure are optional. If omitted
                      or empty, the member will have no effect on the rule. \n - If
                      multiple members of the structure are specified, then all members
                      must match in order for the rule to take effect. The exception
                      to this rule is the ToRequires member; the effects of any Requires
                      field in any rule will apply to all other rules as well. \n
                      - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and
                      ToGroups are mutually exclusive. Only one of these members may
                      be present within an individual rule."
                    properties:
                      authentication:
                        description: Authentication is the required authentication
                          type for the allowed traffic, if any.
                        properties:
                          mode:
                            description: Mode is the required authentication mode
                              for the allowed traffic, if any.
                            enum:
                            - disabled
                            - required
                            - test-always-fail
                            type: string
                        required:
                        - mode
                        type: object
                      icmps:
                        description: "ICMPs is a list of ICMP rule identified by type
                          number which the endpoint subject to the rule is allowed
                          to connect to. \n Example: Any endpoint with the label \"app=httpd\"
                          is allowed to initiate type 8 ICMP connections."
                        items:
                          description: ICMPRule is a list of ICMP fields.
                          properties:
                            fields:
                              description: Fields is a list of ICMP fields.
                              items:
                                description: ICMPField is a ICMP field.
                                properties:
                                  family:
                                    default: IPv4
                                    description: Family is a IP address version. Currently,
                                      we support `IPv4` and `IPv6`. `IPv4` is set
                                      as default.
                                    enum:
                                    - IPv4
                                    - IPv6
                                    type: string
                                  type:
                                    description: Type is a ICMP-type. It should be
                                      0-255 (8bit).
                                    maximum: 255
                                    minimum: 0
                                    type: integer
                                required:
                                - type
                                type: object
                              type: array
                          type: object
                        type: array
                      toCIDR:
                        description: "ToCIDR is a list of IP blocks which the endpoint
                          subject to the rule is allowed to initiate connections.
                          Only connections destined for outside of the cluster and
                          not targeting the host will be subject to CIDR rules.  This
                          will match on the destination IP address of outgoing connections.
                          Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs
                          is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
                          \n Example: Any endpoint with the label \"app=database-proxy\"
                          is allowed to initiate connections to 10.2.3.0/24"
                        items:
                          description: 'CIDR specifies a block of IP addresses. Example:
                            192.0.2.1/32'
                          pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                          type: string
                        type: array
                      toCIDRSet:
                        description: "ToCIDRSet is a list of IP blocks which the endpoint
                          subject to the rule is allowed to initiate connections to
                          in addition to connections which are allowed via ToEndpoints,
                          along with a list of subnets contained within their corresponding
                          IP block to which traffic should not be allowed. This will
                          match on the destination IP address of outgoing connections.
                          Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs
                          is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
                          \n Example: Any endpoint with the label \"app=database-proxy\"
                          is allowed to initiate connections to 10.2.3.0/24 except
                          from IPs in subnet 10.2.3.0/28."
                        items:
                          description: CIDRRule is a rule that specifies a CIDR prefix
                            to/from which outside communication  is allowed, along
                            with an optional list of subnets within that CIDR prefix
                            to/from which outside communication is not allowed.
                          oneOf:
                          - properties:
                              cidr: {}
                            required:
                            - cidr
                          - properties:
                              cidrGroupRef: {}
                            required:
                            - cidrGroupRef
                          properties:
                            cidr:
                              description: CIDR is a CIDR prefix / IP Block.
                              pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                              type: string
                            cidrGroupRef:
                              description: CIDRGroupRef is a reference to a CiliumCIDRGroup
                                object. A CiliumCIDRGroup contains a list of CIDRs
                                that the endpoint, subject to the rule, can (Ingress)
                                or cannot (IngressDeny) receive connections from.
                              maxLength: 253
                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                              type: string
                            except:
                              description: ExceptCIDRs is a list of IP blocks which
                                the endpoint subject to the rule is not allowed to
                                initiate connections to. These CIDR prefixes should
                                be contained within Cidr, using ExceptCIDRs together
                                with CIDRGroupRef is not supported yet. These exceptions
                                are only applied to the Cidr in this CIDRRule, and
                                do not apply to any other CIDR prefixes in any other
                                CIDRRules.
                              items:
                                description: 'CIDR specifies a block of IP addresses.
                                  Example: 192.0.2.1/32'
                                pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                                type: string
                              type: array
                          type: object
                        type: array
                      toEndpoints:
                        description: "ToEndpoints is a list of endpoints identified
                          by an EndpointSelector to which the endpoints subject to
                          the rule are allowed to communicate. \n Example: Any endpoint
                          with the label \"role=frontend\" can communicate with any
                          endpoint carrying the label \"role=backend\"."
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      toEntities:
                        description: ToEntities is a list of special entities to which
                          the endpoint subject to the rule is allowed to initiate
                          connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`,
                          `init`, `health`,`unmanaged` and `all`.
                        items:
                          description: Entity specifies the class of receiver/sender
                            endpoints that do not have individual identities.  Entities
                            are used to describe "outside of cluster", "host", etc.
                          enum:
                          - all
                          - world
                          - cluster
                          - host
                          - init
                          - ingress
                          - unmanaged
                          - remote-node
                          - health
                          - none
                          - kube-apiserver
                          type: string
                        type: array
                      toFQDNs:
                        description: 'ToFQDN allows whitelisting DNS names in place
                          of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s
                          are added to the same EgressRule object as ToCIDRSet entries,
                          and behave accordingly. Any L4 and L7 rules within this
                          EgressRule will also apply to these IPs. The DNS -> IP mapping
                          is re-resolved periodically from within the cilium-agent,
                          and the IPs in the DNS response are effected in the policy
                          for selected pods as-is (i.e. the list of IPs is not modified
                          in any way). Note: An explicit rule to allow for DNS traffic
                          is needed for the pods, as ToFQDN counts as an egress rule
                          and will enforce egress policy when PolicyEnforcment=default.
                          Note: If the resolved IPs are IPs within the kubernetes
                          cluster, the ToFQDN rule will not apply to that IP. Note:
                          ToFQDN cannot occur in the same policy as other To* rules.'
                        items:
                          properties:
                            matchName:
                              description: MatchName matches literal DNS names. A
                                trailing "." is automatically added when missing.
                              pattern: ^([-a-zA-Z0-9_]+[.]?)+$
                              type: string
                            matchPattern:
                              description: "MatchPattern allows using wildcards to
                                match DNS names. All wildcards are case insensitive.
                                The wildcards are: - \"*\" matches 0 or more DNS valid
                                characters, and may occur anywhere in the pattern.
                                As a special case a \"*\" as the leftmost character,
                                without a following \".\" matches all subdomains as
                                well as the name to the right. A trailing \".\" is
                                automatically added when missing. \n Examples: `*.cilium.io`
                                matches subomains of cilium at that level www.cilium.io
                                and blog.cilium.io match, cilium.io and google.com
                                do not `*cilium.io` matches cilium.io and all subdomains
                                ends with \"cilium.io\" except those containing \".\"
                                separator, subcilium.io and sub-cilium.io match, www.cilium.io
                                and blog.cilium.io does not sub*.cilium.io matches
                                subdomains of cilium where the subdomain component
                                begins with \"sub\" sub.cilium.io and subdomain.cilium.io
                                match, www.cilium.io, blog.cilium.io, cilium.io and
                                google.com do not"
                              pattern: ^([-a-zA-Z0-9_*]+[.]?)+$
                              type: string
                          type: object
                        type: array
                      toGroups:
                        description: "ToGroups is a directive that allows the integration
                          with multiple outside providers. Currently, only AWS is
                          supported, and the rule can select by multiple sub directives:
                          \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
                        items:
                          description: ToGroups structure to store all kinds of new
                            integrations that needs a new derivative policy.
                          properties:
                            aws:
                              description: AWSGroup is an structure that can be used
                                to whitelisting information from AWS integration
                              properties:
                                labels:
                                  additionalProperties:
                                    type: string
                                  type: object
                                region:
                                  type: string
                                securityGroupsIds:
                                  items:
                                    type: string
                                  type: array
                                securityGroupsNames:
                                  items:
                                    type: string
                                  type: array
                              type: object
                          type: object
                        type: array
                      toNodes:
                        description: ToNodes is a list of nodes identified by an EndpointSelector
                          to which endpoints subject to the rule is allowed to communicate.
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      toPorts:
                        description: "ToPorts is a list of destination ports identified
                          by port number and protocol which the endpoint subject to
                          the rule is allowed to connect to. \n Example: Any endpoint
                          with the label \"role=frontend\" is allowed to initiate
                          connections to destination port 8080/tcp"
                        items:
                          description: PortRule is a list of ports/protocol combinations
                            with optional Layer 7 rules which must be met.
                          properties:
                            listener:
                              description: listener specifies the name of a custom
                                Envoy listener to which this traffic should be redirected
                                to.
                              properties:
                                envoyConfig:
                                  description: EnvoyConfig is a reference to the CEC
                                    or CCEC resource in which the listener is defined.
                                  properties:
                                    kind:
                                      description: Kind is the resource type being
                                        referred to. Defaults to CiliumEnvoyConfig
                                        or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy
                                        and CiliumClusterwideNetworkPolicy, respectively.
                                        The only case this is currently explicitly
                                        needed is when referring to a CiliumClusterwideEnvoyConfig
                                        from CiliumNetworkPolicy, as using a namespaced
                                        listener from a cluster scoped policy is not
                                        allowed.
                                      enum:
                                      - CiliumEnvoyConfig
                                      - CiliumClusterwideEnvoyConfig
                                      type: string
                                    name:
                                      description: Name is the resource name of the
                                        CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig
                                        where the listener is defined in.
                                      minLength: 1
                                      type: string
                                  required:
                                  - name
                                  type: object
                                name:
                                  description: Name is the name of the listener.
                                  minLength: 1
                                  type: string
                                priority:
                                  description: Priority for this Listener that is
                                    used when multiple rules would apply different
                                    listeners to a policy map entry. Behavior of this
                                    is implementation dependent.
                                  maximum: 100
                                  minimum: 1
                                  type: integer
                              required:
                              - envoyConfig
                              - name
                              type: object
                            originatingTLS:
                              description: OriginatingTLS is the TLS context for the
                                connections originated by the L7 proxy.  For egress
                                policy this specifies the client-side TLS parameters
                                for the upstream connection originating from the L7
                                proxy to the remote destination. For ingress policy
                                this specifies the client-side TLS parameters for
                                the connection from the L7 proxy to the local endpoint.
                              properties:
                                certificate:
                                  description: Certificate is the file name or k8s
                                    secret item name for the certificate chain. If
                                    omitted, 'tls.crt' is assumed, if it exists. If
                                    given, the item must exist.
                                  type: string
                                privateKey:
                                  description: PrivateKey is the file name or k8s
                                    secret item name for the private key matching
                                    the certificate chain. If omitted, 'tls.key' is
                                    assumed, if it exists. If given, the item must
                                    exist.
                                  type: string
                                secret:
                                  description: 'Secret is the secret that contains
                                    the certificates and private key for the TLS context.
                                    By default, Cilium will search in this secret
                                    for the following items: - ''ca.crt''  - Which
                                    represents the trusted CA to verify remote source.
                                    - ''tls.crt'' - Which represents the public key
                                    certificate. - ''tls.key'' - Which represents
                                    the private key matching the public key certificate.'
                                  properties:
                                    name:
                                      description: Name is the name of the secret.
                                      type: string
                                    namespace:
                                      description: Namespace is the namespace in which
                                        the secret exists. Context of use determines
                                        the default value if left out (e.g., "default").
                                      type: string
                                  required:
                                  - name
                                  type: object
                                trustedCA:
                                  description: TrustedCA is the file name or k8s secret
                                    item name for the trusted CA. If omitted, 'ca.crt'
                                    is assumed, if it exists. If given, the item must
                                    exist.
                                  type: string
                              required:
                              - secret
                              type: object
                            ports:
                              description: Ports is a list of L4 port/protocol
                              items:
                                description: PortProtocol specifies an L4 port with
                                  an optional transport protocol
                                properties:
                                  port:
                                    description: Port is an L4 port number. For now
                                      the string will be strictly parsed as a single
                                      uint16. In the future, this field may support
                                      ranges in the form "1024-2048 Port can also
                                      be a port name, which must contain at least
                                      one [a-z], and may also contain [0-9] and '-'
                                      anywhere except adjacent to another '-' or in
                                      the beginning or the end.
                                    pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$
                                    type: string
                                  protocol:
                                    description: "Protocol is the L4 protocol. If
                                      omitted or empty, any protocol matches. Accepted
                                      values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"
                                      \n Matching on ICMP is not supported. \n Named
                                      port specified for a container may narrow this
                                      down, but may not contradict this."
                                    enum:
                                    - TCP
                                    - UDP
                                    - SCTP
                                    - ANY
                                    type: string
                                required:
                                - port
                                type: object
                              type: array
                            rules:
                              description: Rules is a list of additional port level
                                rules which must be met in order for the PortRule
                                to allow the traffic. If omitted or empty, no layer
                                7 rules are enforced.
                              properties:
                                dns:
                                  description: DNS-specific rules.
                                  items:
                                    description: PortRuleDNS is a list of allowed
                                      DNS lookups.
                                    properties:
                                      matchName:
                                        description: MatchName matches literal DNS
                                          names. A trailing "." is automatically added
                                          when missing.
                                        pattern: ^([-a-zA-Z0-9_]+[.]?)+$
                                        type: string
                                      matchPattern:
                                        description: "MatchPattern allows using wildcards
                                          to match DNS names. All wildcards are case
                                          insensitive. The wildcards are: - \"*\"
                                          matches 0 or more DNS valid characters,
                                          and may occur anywhere in the pattern. As
                                          a special case a \"*\" as the leftmost character,
                                          without a following \".\" matches all subdomains
                                          as well as the name to the right. A trailing
                                          \".\" is automatically added when missing.
                                          \n Examples: `*.cilium.io` matches subomains
                                          of cilium at that level www.cilium.io and
                                          blog.cilium.io match, cilium.io and google.com
                                          do not `*cilium.io` matches cilium.io and
                                          all subdomains ends with \"cilium.io\" except
                                          those containing \".\" separator, subcilium.io
                                          and sub-cilium.io match, www.cilium.io and
                                          blog.cilium.io does not sub*.cilium.io matches
                                          subdomains of cilium where the subdomain
                                          component begins with \"sub\" sub.cilium.io
                                          and subdomain.cilium.io match, www.cilium.io,
                                          blog.cilium.io, cilium.io and google.com
                                          do not"
                                        pattern: ^([-a-zA-Z0-9_*]+[.]?)+$
                                        type: string
                                    type: object
                                  type: array
                                http:
                                  description: HTTP specific rules.
                                  items:
                                    description: "PortRuleHTTP is a list of HTTP protocol
                                      constraints. All fields are optional, if all
                                      fields are empty or missing, the rule does not
                                      have any effect. \n All fields of this type
                                      are extended POSIX regex as defined by IEEE
                                      Std 1003.1, (i.e this follows the egrep/unix
                                      syntax, not the perl syntax) matched against
                                      the path of an incoming request. Currently it
                                      can contain characters disallowed from the conventional
                                      \"path\" part of a URL as defined by RFC 3986."
                                    properties:
                                      headerMatches:
                                        description: HeaderMatches is a list of HTTP
                                          headers which must be present and match
                                          against the given values. Mismatch field
                                          can be used to specify what to do when there
                                          is no match.
                                        items:
                                          description: HeaderMatch extends the HeaderValue
                                            for matching requirement of a named header
                                            field against an immediate string, a secret
                                            value, or a regex.  If none of the optional
                                            fields is present, then the header value
                                            is not matched, only presence of the header
                                            is enough.
                                          properties:
                                            mismatch:
                                              description: Mismatch identifies what
                                                to do in case there is no match. The
                                                default is to drop the request. Otherwise
                                                the overall rule is still considered
                                                as matching, but the mismatches are
                                                logged in the access log.
                                              enum:
                                              - LOG
                                              - ADD
                                              - DELETE
                                              - REPLACE
                                              type: string
                                            name:
                                              description: Name identifies the header.
                                              type: string
                                            secret:
                                              description: Secret refers to a secret
                                                that contains the value to be matched
                                                against. The secret must only contain
                                                one entry. If the referred secret
                                                does not exist, and there is no "Value"
                                                specified, the match will fail.
                                              properties:
                                                name:
                                                  description: Name is the name of
                                                    the secret.
                                                  type: string
                                                namespace:
                                                  description: Namespace is the namespace
                                                    in which the secret exists. Context
                                                    of use determines the default
                                                    value if left out (e.g., "default").
                                                  type: string
                                              required:
                                              - name
                                              type: object
                                            value:
                                              description: Value matches the exact
                                                value of the header. Can be specified
                                                either alone or together with "Secret";
                                                will be used as the header value if
                                                the secret can not be found in the
                                                latter case.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        type: array
                                      headers:
                                        description: Headers is a list of HTTP headers
                                          which must be present in the request. If
                                          omitted or empty, requests are allowed regardless
                                          of headers present.
                                        items:
                                          type: string
                                        type: array
                                      host:
                                        description: "Host is an extended POSIX regex
                                          matched against the host header of a request,
                                          e.g. \"foo.com\" \n If omitted or empty,
                                          the value of the host header is ignored."
                                        format: idn-hostname
                                        type: string
                                      method:
                                        description: "Method is an extended POSIX
                                          regex matched against the method of a request,
                                          e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\",
                                          \"DELETE\", ... \n If omitted or empty,
                                          all methods are allowed."
                                        type: string
                                      path:
                                        description: "Path is an extended POSIX regex
                                          matched against the path of a request. Currently
                                          it can contain characters disallowed from
                                          the conventional \"path\" part of a URL
                                          as defined by RFC 3986. \n If omitted or
                                          empty, all paths are all allowed."
                                        type: string
                                    type: object
                                  type: array
                                kafka:
                                  description: Kafka-specific rules.
                                  items:
                                    description: PortRule is a list of Kafka protocol
                                      constraints. All fields are optional, if all
                                      fields are empty or missing, the rule will match
                                      all Kafka messages.
                                    properties:
                                      apiKey:
                                        description: "APIKey is a case-insensitive
                                          string matched against the key of a request,
                                          e.g. \"produce\", \"fetch\", \"createtopic\",
                                          \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys
                                          \n If omitted or empty, and if Role is not
                                          specified, then all keys are allowed."
                                        type: string
                                      apiVersion:
                                        description: "APIVersion is the version matched
                                          against the api version of the Kafka message.
                                          If set, it has to be a string representing
                                          a positive integer. \n If omitted or empty,
                                          all versions are allowed."
                                        type: string
                                      clientID:
                                        description: "ClientID is the client identifier
                                          as provided in the request. \n From Kafka
                                          protocol documentation: This is a user supplied
                                          identifier for the client application. The
                                          user can use any identifier they like and
                                          it will be used when logging errors, monitoring
                                          aggregates, etc. For example, one might
                                          want to monitor not just the requests per
                                          second overall, but the number coming from
                                          each client application (each of which could
                                          reside on multiple servers). This id acts
                                          as a logical grouping across all requests
                                          from a particular client. \n If omitted
                                          or empty, all client identifiers are allowed."
                                        type: string
                                      role:
                                        description: "Role is a case-insensitive string
                                          and describes a group of API keys necessary
                                          to perform certain higher-level Kafka operations
                                          such as \"produce\" or \"consume\". A Role
                                          automatically expands into all APIKeys required
                                          to perform the specified higher-level operation.
                                          \n The following values are supported: -
                                          \"produce\": Allow producing to the topics
                                          specified in the rule - \"consume\": Allow
                                          consuming from the topics specified in the
                                          rule \n This field is incompatible with
                                          the APIKey field, i.e APIKey and Role cannot
                                          both be specified in the same rule. \n If
                                          omitted or empty, and if APIKey is not specified,
                                          then all keys are allowed."
                                        enum:
                                        - produce
                                        - consume
                                        type: string
                                      topic:
                                        description: "Topic is the topic name contained
                                          in the message. If a Kafka request contains
                                          multiple topics, then all topics must be
                                          allowed or the message will be rejected.
                                          \n This constraint is ignored if the matched
                                          request message type doesn't contain any
                                          topic. Maximum size of Topic can be 249
                                          characters as per recent Kafka spec and
                                          allowed characters are a-z, A-Z, 0-9, -,
                                          . and _. \n Older Kafka versions had longer
                                          topic lengths of 255, but in Kafka 0.10
                                          version the length was changed from 255
                                          to 249. For compatibility reasons we are
                                          using 255. \n If omitted or empty, all topics
                                          are allowed."
                                        maxLength: 255
                                        type: string
                                    type: object
                                  type: array
                                l7:
                                  description: Key-value pair rules.
                                  items:
                                    additionalProperties:
                                      type: string
                                    description: PortRuleL7 is a list of key-value
                                      pairs interpreted by a L7 protocol as protocol
                                      constraints. All fields are optional, if all
                                      fields are empty or missing, the rule does not
                                      have any effect.
                                    type: object
                                  type: array
                                l7proto:
                                  description: Name of the L7 protocol for which the
                                    Key-value pair rules apply.
                                  type: string
                              type: object
                            serverNames:
                              description: ServerNames is a list of allowed TLS SNI
                                values. If not empty, then TLS must be present and
                                one of the provided SNIs must be indicated in the
                                TLS handshake.
                              items:
                                type: string
                              type: array
                            terminatingTLS:
                              description: TerminatingTLS is the TLS context for the
                                connection terminated by the L7 proxy.  For egress
                                policy this specifies the server-side TLS parameters
                                to be applied on the connections originated from the
                                local endpoint and terminated by the L7 proxy. For
                                ingress policy this specifies the server-side TLS
                                parameters to be applied on the connections originated
                                from a remote source and terminated by the L7 proxy.
                              properties:
                                certificate:
                                  description: Certificate is the file name or k8s
                                    secret item name for the certificate chain. If
                                    omitted, 'tls.crt' is assumed, if it exists. If
                                    given, the item must exist.
                                  type: string
                                privateKey:
                                  description: PrivateKey is the file name or k8s
                                    secret item name for the private key matching
                                    the certificate chain. If omitted, 'tls.key' is
                                    assumed, if it exists. If given, the item must
                                    exist.
                                  type: string
                                secret:
                                  description: 'Secret is the secret that contains
                                    the certificates and private key for the TLS context.
                                    By default, Cilium will search in this secret
                                    for the following items: - ''ca.crt''  - Which
                                    represents the trusted CA to verify remote source.
                                    - ''tls.crt'' - Which represents the public key
                                    certificate. - ''tls.key'' - Which represents
                                    the private key matching the public key certificate.'
                                  properties:
                                    name:
                                      description: Name is the name of the secret.
                                      type: string
                                    namespace:
                                      description: Namespace is the namespace in which
                                        the secret exists. Context of use determines
                                        the default value if left out (e.g., "default").
                                      type: string
                                  required:
                                  - name
                                  type: object
                                trustedCA:
                                  description: TrustedCA is the file name or k8s secret
                                    item name for the trusted CA. If omitted, 'ca.crt'
                                    is assumed, if it exists. If given, the item must
                                    exist.
                                  type: string
                              required:
                              - secret
                              type: object
                          type: object
                        type: array
                      toRequires:
                        description: "ToRequires is a list of additional constraints
                          which must be met in order for the selected endpoints to
                          be able to connect to other endpoints. These additional
                          constraints do no by itself grant access privileges and
                          must always be accompanied with at least one matching ToEndpoints.
                          \n Example: Any Endpoint with the label \"team=A\" requires
                          any endpoint to which it communicates to also carry the
                          label \"team=A\"."
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      toServices:
                        description: "ToServices is a list of services to which the
                          endpoint subject to the rule is allowed to initiate connections.
                          Currently Cilium only supports toServices for K8s services
                          without selectors. \n Example: Any endpoint with the label
                          \"app=backend-app\" is allowed to initiate connections to
                          all cidrs backing the \"external-service\" service"
                        items:
                          description: Service wraps around selectors for services
                          properties:
                            k8sService:
                              description: K8sService selects service by name and
                                namespace pair
                              properties:
                                namespace:
                                  type: string
                                serviceName:
                                  type: string
                              type: object
                            k8sServiceSelector:
                              description: K8sServiceSelector selects services by
                                k8s labels and namespace
                              properties:
                                namespace:
                                  type: string
                                selector:
                                  description: ServiceSelector is a label selector
                                    for k8s services
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            enum:
                                            - In
                                            - NotIn
                                            - Exists
                                            - DoesNotExist
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        description: MatchLabelsValue represents the
                                          value from the MatchLabels {key,value} pair.
                                        maxLength: 63
                                        pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                              required:
                              - selector
                              type: object
                          type: object
                        type: array
                    type: object
                  type: array
                egressDeny:
                  description: EgressDeny is a list of EgressDenyRule which are enforced
                    at egress. Any rule inserted here will be denied regardless of
                    the allowed egress rules in the 'egress' field. If omitted or
                    empty, this rule does not apply at egress.
                  items:
                    description: "EgressDenyRule contains all rule types which can
                      be applied at egress, i.e. network traffic that originates inside
                      the endpoint and exits the endpoint selected by the endpointSelector.
                      \n - All members of this structure are optional. If omitted
                      or empty, the member will have no effect on the rule. \n - If
                      multiple members of the structure are specified, then all members
                      must match in order for the rule to take effect. The exception
                      to this rule is the ToRequires member; the effects of any Requires
                      field in any rule will apply to all other rules as well. \n
                      - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and
                      ToGroups are mutually exclusive. Only one of these members may
                      be present within an individual rule."
                    properties:
                      icmps:
                        description: "ICMPs is a list of ICMP rule identified by type
                          number which the endpoint subject to the rule is not allowed
                          to connect to. \n Example: Any endpoint with the label \"app=httpd\"
                          is not allowed to initiate type 8 ICMP connections."
                        items:
                          description: ICMPRule is a list of ICMP fields.
                          properties:
                            fields:
                              description: Fields is a list of ICMP fields.
                              items:
                                description: ICMPField is a ICMP field.
                                properties:
                                  family:
                                    default: IPv4
                                    description: Family is a IP address version. Currently,
                                      we support `IPv4` and `IPv6`. `IPv4` is set
                                      as default.
                                    enum:
                                    - IPv4
                                    - IPv6
                                    type: string
                                  type:
                                    description: Type is a ICMP-type. It should be
                                      0-255 (8bit).
                                    maximum: 255
                                    minimum: 0
                                    type: integer
                                required:
                                - type
                                type: object
                              type: array
                          type: object
                        type: array
                      toCIDR:
                        description: "ToCIDR is a list of IP blocks which the endpoint
                          subject to the rule is allowed to initiate connections.
                          Only connections destined for outside of the cluster and
                          not targeting the host will be subject to CIDR rules.  This
                          will match on the destination IP address of outgoing connections.
                          Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs
                          is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
                          \n Example: Any endpoint with the label \"app=database-proxy\"
                          is allowed to initiate connections to 10.2.3.0/24"
                        items:
                          description: 'CIDR specifies a block of IP addresses. Example:
                            192.0.2.1/32'
                          pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                          type: string
                        type: array
                      toCIDRSet:
                        description: "ToCIDRSet is a list of IP blocks which the endpoint
                          subject to the rule is allowed to initiate connections to
                          in addition to connections which are allowed via ToEndpoints,
                          along with a list of subnets contained within their corresponding
                          IP block to which traffic should not be allowed. This will
                          match on the destination IP address of outgoing connections.
                          Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs
                          is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
                          \n Example: Any endpoint with the label \"app=database-proxy\"
                          is allowed to initiate connections to 10.2.3.0/24 except
                          from IPs in subnet 10.2.3.0/28."
                        items:
                          description: CIDRRule is a rule that specifies a CIDR prefix
                            to/from which outside communication  is allowed, along
                            with an optional list of subnets within that CIDR prefix
                            to/from which outside communication is not allowed.
                          oneOf:
                          - properties:
                              cidr: {}
                            required:
                            - cidr
                          - properties:
                              cidrGroupRef: {}
                            required:
                            - cidrGroupRef
                          properties:
                            cidr:
                              description: CIDR is a CIDR prefix / IP Block.
                              pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                              type: string
                            cidrGroupRef:
                              description: CIDRGroupRef is a reference to a CiliumCIDRGroup
                                object. A CiliumCIDRGroup contains a list of CIDRs
                                that the endpoint, subject to the rule, can (Ingress)
                                or cannot (IngressDeny) receive connections from.
                              maxLength: 253
                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                              type: string
                            except:
                              description: ExceptCIDRs is a list of IP blocks which
                                the endpoint subject to the rule is not allowed to
                                initiate connections to. These CIDR prefixes should
                                be contained within Cidr, using ExceptCIDRs together
                                with CIDRGroupRef is not supported yet. These exceptions
                                are only applied to the Cidr in this CIDRRule, and
                                do not apply to any other CIDR prefixes in any other
                                CIDRRules.
                              items:
                                description: 'CIDR specifies a block of IP addresses.
                                  Example: 192.0.2.1/32'
                                pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                                type: string
                              type: array
                          type: object
                        type: array
                      toEndpoints:
                        description: "ToEndpoints is a list of endpoints identified
                          by an EndpointSelector to which the endpoints subject to
                          the rule are allowed to communicate. \n Example: Any endpoint
                          with the label \"role=frontend\" can communicate with any
                          endpoint carrying the label \"role=backend\"."
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      toEntities:
                        description: ToEntities is a list of special entities to which
                          the endpoint subject to the rule is allowed to initiate
                          connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`,
                          `init`, `health`,`unmanaged` and `all`.
                        items:
                          description: Entity specifies the class of receiver/sender
                            endpoints that do not have individual identities.  Entities
                            are used to describe "outside of cluster", "host", etc.
                          enum:
                          - all
                          - world
                          - cluster
                          - host
                          - init
                          - ingress
                          - unmanaged
                          - remote-node
                          - health
                          - none
                          - kube-apiserver
                          type: string
                        type: array
                      toGroups:
                        description: "ToGroups is a directive that allows the integration
                          with multiple outside providers. Currently, only AWS is
                          supported, and the rule can select by multiple sub directives:
                          \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"
                        items:
                          description: ToGroups structure to store all kinds of new
                            integrations that needs a new derivative policy.
                          properties:
                            aws:
                              description: AWSGroup is an structure that can be used
                                to whitelisting information from AWS integration
                              properties:
                                labels:
                                  additionalProperties:
                                    type: string
                                  type: object
                                region:
                                  type: string
                                securityGroupsIds:
                                  items:
                                    type: string
                                  type: array
                                securityGroupsNames:
                                  items:
                                    type: string
                                  type: array
                              type: object
                          type: object
                        type: array
                      toNodes:
                        description: ToNodes is a list of nodes identified by an EndpointSelector
                          to which endpoints subject to the rule is allowed to communicate.
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      toPorts:
                        description: "ToPorts is a list of destination ports identified
                          by port number and protocol which the endpoint subject to
                          the rule is not allowed to connect to. \n Example: Any endpoint
                          with the label \"role=frontend\" is not allowed to initiate
                          connections to destination port 8080/tcp"
                        items:
                          description: PortDenyRule is a list of ports/protocol that
                            should be used for deny policies. This structure lacks
                            the L7Rules since it's not supported in deny policies.
                          properties:
                            ports:
                              description: Ports is a list of L4 port/protocol
                              items:
                                description: PortProtocol specifies an L4 port with
                                  an optional transport protocol
                                properties:
                                  port:
                                    description: Port is an L4 port number. For now
                                      the string will be strictly parsed as a single
                                      uint16. In the future, this field may support
                                      ranges in the form "1024-2048 Port can also
                                      be a port name, which must contain at least
                                      one [a-z], and may also contain [0-9] and '-'
                                      anywhere except adjacent to another '-' or in
                                      the beginning or the end.
                                    pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$
                                    type: string
                                  protocol:
                                    description: "Protocol is the L4 protocol. If
                                      omitted or empty, any protocol matches. Accepted
                                      values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"
                                      \n Matching on ICMP is not supported. \n Named
                                      port specified for a container may narrow this
                                      down, but may not contradict this."
                                    enum:
                                    - TCP
                                    - UDP
                                    - SCTP
                                    - ANY
                                    type: string
                                required:
                                - port
                                type: object
                              type: array
                          type: object
                        type: array
                      toRequires:
                        description: "ToRequires is a list of additional constraints
                          which must be met in order for the selected endpoints to
                          be able to connect to other endpoints. These additional
                          constraints do no by itself grant access privileges and
                          must always be accompanied with at least one matching ToEndpoints.
                          \n Example: Any Endpoint with the label \"team=A\" requires
                          any endpoint to which it communicates to also carry the
                          label \"team=A\"."
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      toServices:
                        description: "ToServices is a list of services to which the
                          endpoint subject to the rule is allowed to initiate connections.
                          Currently Cilium only supports toServices for K8s services
                          without selectors. \n Example: Any endpoint with the label
                          \"app=backend-app\" is allowed to initiate connections to
                          all cidrs backing the \"external-service\" service"
                        items:
                          description: Service wraps around selectors for services
                          properties:
                            k8sService:
                              description: K8sService selects service by name and
                                namespace pair
                              properties:
                                namespace:
                                  type: string
                                serviceName:
                                  type: string
                              type: object
                            k8sServiceSelector:
                              description: K8sServiceSelector selects services by
                                k8s labels and namespace
                              properties:
                                namespace:
                                  type: string
                                selector:
                                  description: ServiceSelector is a label selector
                                    for k8s services
                                  properties:
                                    matchExpressions:
                                      description: matchExpressions is a list of label
                                        selector requirements. The requirements are
                                        ANDed.
                                      items:
                                        description: A label selector requirement
                                          is a selector that contains values, a key,
                                          and an operator that relates the key and
                                          values.
                                        properties:
                                          key:
                                            description: key is the label key that
                                              the selector applies to.
                                            type: string
                                          operator:
                                            description: operator represents a key's
                                              relationship to a set of values. Valid
                                              operators are In, NotIn, Exists and
                                              DoesNotExist.
                                            enum:
                                            - In
                                            - NotIn
                                            - Exists
                                            - DoesNotExist
                                            type: string
                                          values:
                                            description: values is an array of string
                                              values. If the operator is In or NotIn,
                                              the values array must be non-empty.
                                              If the operator is Exists or DoesNotExist,
                                              the values array must be empty. This
                                              array is replaced during a strategic
                                              merge patch.
                                            items:
                                              type: string
                                            type: array
                                        required:
                                        - key
                                        - operator
                                        type: object
                                      type: array
                                    matchLabels:
                                      additionalProperties:
                                        description: MatchLabelsValue represents the
                                          value from the MatchLabels {key,value} pair.
                                        maxLength: 63
                                        pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                        type: string
                                      description: matchLabels is a map of {key,value}
                                        pairs. A single {key,value} in the matchLabels
                                        map is equivalent to an element of matchExpressions,
                                        whose key field is "key", the operator is
                                        "In", and the values array contains only "value".
                                        The requirements are ANDed.
                                      type: object
                                  type: object
                              required:
                              - selector
                              type: object
                          type: object
                        type: array
                    type: object
                  type: array
                endpointSelector:
                  description: EndpointSelector selects all endpoints which should
                    be subject to this rule. EndpointSelector and NodeSelector cannot
                    be both empty and are mutually exclusive.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the
                          key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship
                              to a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            enum:
                            - In
                            - NotIn
                            - Exists
                            - DoesNotExist
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a
                              strategic merge patch.
                            items:
                              type: string
                            type: array
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        description: MatchLabelsValue represents the value from the
                          MatchLabels {key,value} pair.
                        maxLength: 63
                        pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
                ingress:
                  description: Ingress is a list of IngressRule which are enforced
                    at ingress. If omitted or empty, this rule does not apply at ingress.
                  items:
                    description: "IngressRule contains all rule types which can be
                      applied at ingress, i.e. network traffic that originates outside
                      of the endpoint and is entering the endpoint selected by the
                      endpointSelector. \n - All members of this structure are optional.
                      If omitted or empty, the member will have no effect on the rule.
                      \n - If multiple members are set, all of them need to match
                      in order for the rule to take effect. The exception to this
                      rule is FromRequires field; the effects of any Requires field
                      in any rule will apply to all other rules as well. \n - FromEndpoints,
                      FromCIDR, FromCIDRSet and FromEntities are mutually exclusive.
                      Only one of these members may be present within an individual
                      rule."
                    properties:
                      authentication:
                        description: Authentication is the required authentication
                          type for the allowed traffic, if any.
                        properties:
                          mode:
                            description: Mode is the required authentication mode
                              for the allowed traffic, if any.
                            enum:
                            - disabled
                            - required
                            - test-always-fail
                            type: string
                        required:
                        - mode
                        type: object
                      fromCIDR:
                        description: "FromCIDR is a list of IP blocks which the endpoint
                          subject to the rule is allowed to receive connections from.
                          Only connections which do *not* originate from the cluster
                          or from the local host are subject to CIDR rules. In order
                          to allow in-cluster connectivity, use the FromEndpoints
                          field.  This will match on the source IP address of incoming
                          connections. Adding  a prefix into FromCIDR or into FromCIDRSet
                          with no ExcludeCIDRs is  equivalent.  Overlaps are allowed
                          between FromCIDR and FromCIDRSet. \n Example: Any endpoint
                          with the label \"app=my-legacy-pet\" is allowed to receive
                          connections from 10.3.9.1"
                        items:
                          description: 'CIDR specifies a block of IP addresses. Example:
                            192.0.2.1/32'
                          pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                          type: string
                        type: array
                      fromCIDRSet:
                        description: "FromCIDRSet is a list of IP blocks which the
                          endpoint subject to the rule is allowed to receive connections
                          from in addition to FromEndpoints, along with a list of
                          subnets contained within their corresponding IP block from
                          which traffic should not be allowed. This will match on
                          the source IP address of incoming connections. Adding a
                          prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs
                          is equivalent. Overlaps are allowed between FromCIDR and
                          FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\"
                          is allowed to receive connections from 10.0.0.0/8 except
                          from IPs in subnet 10.96.0.0/12."
                        items:
                          description: CIDRRule is a rule that specifies a CIDR prefix
                            to/from which outside communication  is allowed, along
                            with an optional list of subnets within that CIDR prefix
                            to/from which outside communication is not allowed.
                          oneOf:
                          - properties:
                              cidr: {}
                            required:
                            - cidr
                          - properties:
                              cidrGroupRef: {}
                            required:
                            - cidrGroupRef
                          properties:
                            cidr:
                              description: CIDR is a CIDR prefix / IP Block.
                              pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                              type: string
                            cidrGroupRef:
                              description: CIDRGroupRef is a reference to a CiliumCIDRGroup
                                object. A CiliumCIDRGroup contains a list of CIDRs
                                that the endpoint, subject to the rule, can (Ingress)
                                or cannot (IngressDeny) receive connections from.
                              maxLength: 253
                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                              type: string
                            except:
                              description: ExceptCIDRs is a list of IP blocks which
                                the endpoint subject to the rule is not allowed to
                                initiate connections to. These CIDR prefixes should
                                be contained within Cidr, using ExceptCIDRs together
                                with CIDRGroupRef is not supported yet. These exceptions
                                are only applied to the Cidr in this CIDRRule, and
                                do not apply to any other CIDR prefixes in any other
                                CIDRRules.
                              items:
                                description: 'CIDR specifies a block of IP addresses.
                                  Example: 192.0.2.1/32'
                                pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                                type: string
                              type: array
                          type: object
                        type: array
                      fromEndpoints:
                        description: "FromEndpoints is a list of endpoints identified
                          by an EndpointSelector which are allowed to communicate
                          with the endpoint subject to the rule. \n Example: Any endpoint
                          with the label \"role=backend\" can be consumed by any endpoint
                          carrying the label \"role=frontend\"."
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      fromEntities:
                        description: FromEntities is a list of special entities which
                          the endpoint subject to the rule is allowed to receive connections
                          from. Supported entities are `world`, `cluster` and `host`
                        items:
                          description: Entity specifies the class of receiver/sender
                            endpoints that do not have individual identities.  Entities
                            are used to describe "outside of cluster", "host", etc.
                          enum:
                          - all
                          - world
                          - cluster
                          - host
                          - init
                          - ingress
                          - unmanaged
                          - remote-node
                          - health
                          - none
                          - kube-apiserver
                          type: string
                        type: array
                      fromNodes:
                        description: FromNodes is a list of nodes identified by an
                          EndpointSelector which are allowed to communicate with the
                          endpoint subject to the rule.
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      fromRequires:
                        description: "FromRequires is a list of additional constraints
                          which must be met in order for the selected endpoints to
                          be reachable. These additional constraints do no by itself
                          grant access privileges and must always be accompanied with
                          at least one matching FromEndpoints. \n Example: Any Endpoint
                          with the label \"team=A\" requires consuming endpoint to
                          also carry the label \"team=A\"."
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      icmps:
                        description: "ICMPs is a list of ICMP rule identified by type
                          number which the endpoint subject to the rule is allowed
                          to receive connections on. \n Example: Any endpoint with
                          the label \"app=httpd\" can only accept incoming type 8
                          ICMP connections."
                        items:
                          description: ICMPRule is a list of ICMP fields.
                          properties:
                            fields:
                              description: Fields is a list of ICMP fields.
                              items:
                                description: ICMPField is a ICMP field.
                                properties:
                                  family:
                                    default: IPv4
                                    description: Family is a IP address version. Currently,
                                      we support `IPv4` and `IPv6`. `IPv4` is set
                                      as default.
                                    enum:
                                    - IPv4
                                    - IPv6
                                    type: string
                                  type:
                                    description: Type is a ICMP-type. It should be
                                      0-255 (8bit).
                                    maximum: 255
                                    minimum: 0
                                    type: integer
                                required:
                                - type
                                type: object
                              type: array
                          type: object
                        type: array
                      toPorts:
                        description: "ToPorts is a list of destination ports identified
                          by port number and protocol which the endpoint subject to
                          the rule is allowed to receive connections on. \n Example:
                          Any endpoint with the label \"app=httpd\" can only accept
                          incoming connections on port 80/tcp."
                        items:
                          description: PortRule is a list of ports/protocol combinations
                            with optional Layer 7 rules which must be met.
                          properties:
                            listener:
                              description: listener specifies the name of a custom
                                Envoy listener to which this traffic should be redirected
                                to.
                              properties:
                                envoyConfig:
                                  description: EnvoyConfig is a reference to the CEC
                                    or CCEC resource in which the listener is defined.
                                  properties:
                                    kind:
                                      description: Kind is the resource type being
                                        referred to. Defaults to CiliumEnvoyConfig
                                        or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy
                                        and CiliumClusterwideNetworkPolicy, respectively.
                                        The only case this is currently explicitly
                                        needed is when referring to a CiliumClusterwideEnvoyConfig
                                        from CiliumNetworkPolicy, as using a namespaced
                                        listener from a cluster scoped policy is not
                                        allowed.
                                      enum:
                                      - CiliumEnvoyConfig
                                      - CiliumClusterwideEnvoyConfig
                                      type: string
                                    name:
                                      description: Name is the resource name of the
                                        CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig
                                        where the listener is defined in.
                                      minLength: 1
                                      type: string
                                  required:
                                  - name
                                  type: object
                                name:
                                  description: Name is the name of the listener.
                                  minLength: 1
                                  type: string
                                priority:
                                  description: Priority for this Listener that is
                                    used when multiple rules would apply different
                                    listeners to a policy map entry. Behavior of this
                                    is implementation dependent.
                                  maximum: 100
                                  minimum: 1
                                  type: integer
                              required:
                              - envoyConfig
                              - name
                              type: object
                            originatingTLS:
                              description: OriginatingTLS is the TLS context for the
                                connections originated by the L7 proxy.  For egress
                                policy this specifies the client-side TLS parameters
                                for the upstream connection originating from the L7
                                proxy to the remote destination. For ingress policy
                                this specifies the client-side TLS parameters for
                                the connection from the L7 proxy to the local endpoint.
                              properties:
                                certificate:
                                  description: Certificate is the file name or k8s
                                    secret item name for the certificate chain. If
                                    omitted, 'tls.crt' is assumed, if it exists. If
                                    given, the item must exist.
                                  type: string
                                privateKey:
                                  description: PrivateKey is the file name or k8s
                                    secret item name for the private key matching
                                    the certificate chain. If omitted, 'tls.key' is
                                    assumed, if it exists. If given, the item must
                                    exist.
                                  type: string
                                secret:
                                  description: 'Secret is the secret that contains
                                    the certificates and private key for the TLS context.
                                    By default, Cilium will search in this secret
                                    for the following items: - ''ca.crt''  - Which
                                    represents the trusted CA to verify remote source.
                                    - ''tls.crt'' - Which represents the public key
                                    certificate. - ''tls.key'' - Which represents
                                    the private key matching the public key certificate.'
                                  properties:
                                    name:
                                      description: Name is the name of the secret.
                                      type: string
                                    namespace:
                                      description: Namespace is the namespace in which
                                        the secret exists. Context of use determines
                                        the default value if left out (e.g., "default").
                                      type: string
                                  required:
                                  - name
                                  type: object
                                trustedCA:
                                  description: TrustedCA is the file name or k8s secret
                                    item name for the trusted CA. If omitted, 'ca.crt'
                                    is assumed, if it exists. If given, the item must
                                    exist.
                                  type: string
                              required:
                              - secret
                              type: object
                            ports:
                              description: Ports is a list of L4 port/protocol
                              items:
                                description: PortProtocol specifies an L4 port with
                                  an optional transport protocol
                                properties:
                                  port:
                                    description: Port is an L4 port number. For now
                                      the string will be strictly parsed as a single
                                      uint16. In the future, this field may support
                                      ranges in the form "1024-2048 Port can also
                                      be a port name, which must contain at least
                                      one [a-z], and may also contain [0-9] and '-'
                                      anywhere except adjacent to another '-' or in
                                      the beginning or the end.
                                    pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$
                                    type: string
                                  protocol:
                                    description: "Protocol is the L4 protocol. If
                                      omitted or empty, any protocol matches. Accepted
                                      values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"
                                      \n Matching on ICMP is not supported. \n Named
                                      port specified for a container may narrow this
                                      down, but may not contradict this."
                                    enum:
                                    - TCP
                                    - UDP
                                    - SCTP
                                    - ANY
                                    type: string
                                required:
                                - port
                                type: object
                              type: array
                            rules:
                              description: Rules is a list of additional port level
                                rules which must be met in order for the PortRule
                                to allow the traffic. If omitted or empty, no layer
                                7 rules are enforced.
                              properties:
                                dns:
                                  description: DNS-specific rules.
                                  items:
                                    description: PortRuleDNS is a list of allowed
                                      DNS lookups.
                                    properties:
                                      matchName:
                                        description: MatchName matches literal DNS
                                          names. A trailing "." is automatically added
                                          when missing.
                                        pattern: ^([-a-zA-Z0-9_]+[.]?)+$
                                        type: string
                                      matchPattern:
                                        description: "MatchPattern allows using wildcards
                                          to match DNS names. All wildcards are case
                                          insensitive. The wildcards are: - \"*\"
                                          matches 0 or more DNS valid characters,
                                          and may occur anywhere in the pattern. As
                                          a special case a \"*\" as the leftmost character,
                                          without a following \".\" matches all subdomains
                                          as well as the name to the right. A trailing
                                          \".\" is automatically added when missing.
                                          \n Examples: `*.cilium.io` matches subomains
                                          of cilium at that level www.cilium.io and
                                          blog.cilium.io match, cilium.io and google.com
                                          do not `*cilium.io` matches cilium.io and
                                          all subdomains ends with \"cilium.io\" except
                                          those containing \".\" separator, subcilium.io
                                          and sub-cilium.io match, www.cilium.io and
                                          blog.cilium.io does not sub*.cilium.io matches
                                          subdomains of cilium where the subdomain
                                          component begins with \"sub\" sub.cilium.io
                                          and subdomain.cilium.io match, www.cilium.io,
                                          blog.cilium.io, cilium.io and google.com
                                          do not"
                                        pattern: ^([-a-zA-Z0-9_*]+[.]?)+$
                                        type: string
                                    type: object
                                  type: array
                                http:
                                  description: HTTP specific rules.
                                  items:
                                    description: "PortRuleHTTP is a list of HTTP protocol
                                      constraints. All fields are optional, if all
                                      fields are empty or missing, the rule does not
                                      have any effect. \n All fields of this type
                                      are extended POSIX regex as defined by IEEE
                                      Std 1003.1, (i.e this follows the egrep/unix
                                      syntax, not the perl syntax) matched against
                                      the path of an incoming request. Currently it
                                      can contain characters disallowed from the conventional
                                      \"path\" part of a URL as defined by RFC 3986."
                                    properties:
                                      headerMatches:
                                        description: HeaderMatches is a list of HTTP
                                          headers which must be present and match
                                          against the given values. Mismatch field
                                          can be used to specify what to do when there
                                          is no match.
                                        items:
                                          description: HeaderMatch extends the HeaderValue
                                            for matching requirement of a named header
                                            field against an immediate string, a secret
                                            value, or a regex.  If none of the optional
                                            fields is present, then the header value
                                            is not matched, only presence of the header
                                            is enough.
                                          properties:
                                            mismatch:
                                              description: Mismatch identifies what
                                                to do in case there is no match. The
                                                default is to drop the request. Otherwise
                                                the overall rule is still considered
                                                as matching, but the mismatches are
                                                logged in the access log.
                                              enum:
                                              - LOG
                                              - ADD
                                              - DELETE
                                              - REPLACE
                                              type: string
                                            name:
                                              description: Name identifies the header.
                                              type: string
                                            secret:
                                              description: Secret refers to a secret
                                                that contains the value to be matched
                                                against. The secret must only contain
                                                one entry. If the referred secret
                                                does not exist, and there is no "Value"
                                                specified, the match will fail.
                                              properties:
                                                name:
                                                  description: Name is the name of
                                                    the secret.
                                                  type: string
                                                namespace:
                                                  description: Namespace is the namespace
                                                    in which the secret exists. Context
                                                    of use determines the default
                                                    value if left out (e.g., "default").
                                                  type: string
                                              required:
                                              - name
                                              type: object
                                            value:
                                              description: Value matches the exact
                                                value of the header. Can be specified
                                                either alone or together with "Secret";
                                                will be used as the header value if
                                                the secret can not be found in the
                                                latter case.
                                              type: string
                                          required:
                                          - name
                                          type: object
                                        type: array
                                      headers:
                                        description: Headers is a list of HTTP headers
                                          which must be present in the request. If
                                          omitted or empty, requests are allowed regardless
                                          of headers present.
                                        items:
                                          type: string
                                        type: array
                                      host:
                                        description: "Host is an extended POSIX regex
                                          matched against the host header of a request,
                                          e.g. \"foo.com\" \n If omitted or empty,
                                          the value of the host header is ignored."
                                        format: idn-hostname
                                        type: string
                                      method:
                                        description: "Method is an extended POSIX
                                          regex matched against the method of a request,
                                          e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\",
                                          \"DELETE\", ... \n If omitted or empty,
                                          all methods are allowed."
                                        type: string
                                      path:
                                        description: "Path is an extended POSIX regex
                                          matched against the path of a request. Currently
                                          it can contain characters disallowed from
                                          the conventional \"path\" part of a URL
                                          as defined by RFC 3986. \n If omitted or
                                          empty, all paths are all allowed."
                                        type: string
                                    type: object
                                  type: array
                                kafka:
                                  description: Kafka-specific rules.
                                  items:
                                    description: PortRule is a list of Kafka protocol
                                      constraints. All fields are optional, if all
                                      fields are empty or missing, the rule will match
                                      all Kafka messages.
                                    properties:
                                      apiKey:
                                        description: "APIKey is a case-insensitive
                                          string matched against the key of a request,
                                          e.g. \"produce\", \"fetch\", \"createtopic\",
                                          \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys
                                          \n If omitted or empty, and if Role is not
                                          specified, then all keys are allowed."
                                        type: string
                                      apiVersion:
                                        description: "APIVersion is the version matched
                                          against the api version of the Kafka message.
                                          If set, it has to be a string representing
                                          a positive integer. \n If omitted or empty,
                                          all versions are allowed."
                                        type: string
                                      clientID:
                                        description: "ClientID is the client identifier
                                          as provided in the request. \n From Kafka
                                          protocol documentation: This is a user supplied
                                          identifier for the client application. The
                                          user can use any identifier they like and
                                          it will be used when logging errors, monitoring
                                          aggregates, etc. For example, one might
                                          want to monitor not just the requests per
                                          second overall, but the number coming from
                                          each client application (each of which could
                                          reside on multiple servers). This id acts
                                          as a logical grouping across all requests
                                          from a particular client. \n If omitted
                                          or empty, all client identifiers are allowed."
                                        type: string
                                      role:
                                        description: "Role is a case-insensitive string
                                          and describes a group of API keys necessary
                                          to perform certain higher-level Kafka operations
                                          such as \"produce\" or \"consume\". A Role
                                          automatically expands into all APIKeys required
                                          to perform the specified higher-level operation.
                                          \n The following values are supported: -
                                          \"produce\": Allow producing to the topics
                                          specified in the rule - \"consume\": Allow
                                          consuming from the topics specified in the
                                          rule \n This field is incompatible with
                                          the APIKey field, i.e APIKey and Role cannot
                                          both be specified in the same rule. \n If
                                          omitted or empty, and if APIKey is not specified,
                                          then all keys are allowed."
                                        enum:
                                        - produce
                                        - consume
                                        type: string
                                      topic:
                                        description: "Topic is the topic name contained
                                          in the message. If a Kafka request contains
                                          multiple topics, then all topics must be
                                          allowed or the message will be rejected.
                                          \n This constraint is ignored if the matched
                                          request message type doesn't contain any
                                          topic. Maximum size of Topic can be 249
                                          characters as per recent Kafka spec and
                                          allowed characters are a-z, A-Z, 0-9, -,
                                          . and _. \n Older Kafka versions had longer
                                          topic lengths of 255, but in Kafka 0.10
                                          version the length was changed from 255
                                          to 249. For compatibility reasons we are
                                          using 255. \n If omitted or empty, all topics
                                          are allowed."
                                        maxLength: 255
                                        type: string
                                    type: object
                                  type: array
                                l7:
                                  description: Key-value pair rules.
                                  items:
                                    additionalProperties:
                                      type: string
                                    description: PortRuleL7 is a list of key-value
                                      pairs interpreted by a L7 protocol as protocol
                                      constraints. All fields are optional, if all
                                      fields are empty or missing, the rule does not
                                      have any effect.
                                    type: object
                                  type: array
                                l7proto:
                                  description: Name of the L7 protocol for which the
                                    Key-value pair rules apply.
                                  type: string
                              type: object
                            serverNames:
                              description: ServerNames is a list of allowed TLS SNI
                                values. If not empty, then TLS must be present and
                                one of the provided SNIs must be indicated in the
                                TLS handshake.
                              items:
                                type: string
                              type: array
                            terminatingTLS:
                              description: TerminatingTLS is the TLS context for the
                                connection terminated by the L7 proxy.  For egress
                                policy this specifies the server-side TLS parameters
                                to be applied on the connections originated from the
                                local endpoint and terminated by the L7 proxy. For
                                ingress policy this specifies the server-side TLS
                                parameters to be applied on the connections originated
                                from a remote source and terminated by the L7 proxy.
                              properties:
                                certificate:
                                  description: Certificate is the file name or k8s
                                    secret item name for the certificate chain. If
                                    omitted, 'tls.crt' is assumed, if it exists. If
                                    given, the item must exist.
                                  type: string
                                privateKey:
                                  description: PrivateKey is the file name or k8s
                                    secret item name for the private key matching
                                    the certificate chain. If omitted, 'tls.key' is
                                    assumed, if it exists. If given, the item must
                                    exist.
                                  type: string
                                secret:
                                  description: 'Secret is the secret that contains
                                    the certificates and private key for the TLS context.
                                    By default, Cilium will search in this secret
                                    for the following items: - ''ca.crt''  - Which
                                    represents the trusted CA to verify remote source.
                                    - ''tls.crt'' - Which represents the public key
                                    certificate. - ''tls.key'' - Which represents
                                    the private key matching the public key certificate.'
                                  properties:
                                    name:
                                      description: Name is the name of the secret.
                                      type: string
                                    namespace:
                                      description: Namespace is the namespace in which
                                        the secret exists. Context of use determines
                                        the default value if left out (e.g., "default").
                                      type: string
                                  required:
                                  - name
                                  type: object
                                trustedCA:
                                  description: TrustedCA is the file name or k8s secret
                                    item name for the trusted CA. If omitted, 'ca.crt'
                                    is assumed, if it exists. If given, the item must
                                    exist.
                                  type: string
                              required:
                              - secret
                              type: object
                          type: object
                        type: array
                    type: object
                  type: array
                ingressDeny:
                  description: IngressDeny is a list of IngressDenyRule which are
                    enforced at ingress. Any rule inserted here will be denied regardless
                    of the allowed ingress rules in the 'ingress' field. If omitted
                    or empty, this rule does not apply at ingress.
                  items:
                    description: "IngressDenyRule contains all rule types which can
                      be applied at ingress, i.e. network traffic that originates
                      outside of the endpoint and is entering the endpoint selected
                      by the endpointSelector. \n - All members of this structure
                      are optional. If omitted or empty, the member will have no effect
                      on the rule. \n - If multiple members are set, all of them need
                      to match in order for the rule to take effect. The exception
                      to this rule is FromRequires field; the effects of any Requires
                      field in any rule will apply to all other rules as well. \n
                      - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are
                      mutually exclusive. Only one of these members may be present
                      within an individual rule."
                    properties:
                      fromCIDR:
                        description: "FromCIDR is a list of IP blocks which the endpoint
                          subject to the rule is allowed to receive connections from.
                          Only connections which do *not* originate from the cluster
                          or from the local host are subject to CIDR rules. In order
                          to allow in-cluster connectivity, use the FromEndpoints
                          field.  This will match on the source IP address of incoming
                          connections. Adding  a prefix into FromCIDR or into FromCIDRSet
                          with no ExcludeCIDRs is  equivalent.  Overlaps are allowed
                          between FromCIDR and FromCIDRSet. \n Example: Any endpoint
                          with the label \"app=my-legacy-pet\" is allowed to receive
                          connections from 10.3.9.1"
                        items:
                          description: 'CIDR specifies a block of IP addresses. Example:
                            192.0.2.1/32'
                          pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                          type: string
                        type: array
                      fromCIDRSet:
                        description: "FromCIDRSet is a list of IP blocks which the
                          endpoint subject to the rule is allowed to receive connections
                          from in addition to FromEndpoints, along with a list of
                          subnets contained within their corresponding IP block from
                          which traffic should not be allowed. This will match on
                          the source IP address of incoming connections. Adding a
                          prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs
                          is equivalent. Overlaps are allowed between FromCIDR and
                          FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\"
                          is allowed to receive connections from 10.0.0.0/8 except
                          from IPs in subnet 10.96.0.0/12."
                        items:
                          description: CIDRRule is a rule that specifies a CIDR prefix
                            to/from which outside communication  is allowed, along
                            with an optional list of subnets within that CIDR prefix
                            to/from which outside communication is not allowed.
                          oneOf:
                          - properties:
                              cidr: {}
                            required:
                            - cidr
                          - properties:
                              cidrGroupRef: {}
                            required:
                            - cidrGroupRef
                          properties:
                            cidr:
                              description: CIDR is a CIDR prefix / IP Block.
                              pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                              type: string
                            cidrGroupRef:
                              description: CIDRGroupRef is a reference to a CiliumCIDRGroup
                                object. A CiliumCIDRGroup contains a list of CIDRs
                                that the endpoint, subject to the rule, can (Ingress)
                                or cannot (IngressDeny) receive connections from.
                              maxLength: 253
                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                              type: string
                            except:
                              description: ExceptCIDRs is a list of IP blocks which
                                the endpoint subject to the rule is not allowed to
                                initiate connections to. These CIDR prefixes should
                                be contained within Cidr, using ExceptCIDRs together
                                with CIDRGroupRef is not supported yet. These exceptions
                                are only applied to the Cidr in this CIDRRule, and
                                do not apply to any other CIDR prefixes in any other
                                CIDRRules.
                              items:
                                description: 'CIDR specifies a block of IP addresses.
                                  Example: 192.0.2.1/32'
                                pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$
                                type: string
                              type: array
                          type: object
                        type: array
                      fromEndpoints:
                        description: "FromEndpoints is a list of endpoints identified
                          by an EndpointSelector which are allowed to communicate
                          with the endpoint subject to the rule. \n Example: Any endpoint
                          with the label \"role=backend\" can be consumed by any endpoint
                          carrying the label \"role=frontend\"."
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      fromEntities:
                        description: FromEntities is a list of special entities which
                          the endpoint subject to the rule is allowed to receive connections
                          from. Supported entities are `world`, `cluster` and `host`
                        items:
                          description: Entity specifies the class of receiver/sender
                            endpoints that do not have individual identities.  Entities
                            are used to describe "outside of cluster", "host", etc.
                          enum:
                          - all
                          - world
                          - cluster
                          - host
                          - init
                          - ingress
                          - unmanaged
                          - remote-node
                          - health
                          - none
                          - kube-apiserver
                          type: string
                        type: array
                      fromNodes:
                        description: FromNodes is a list of nodes identified by an
                          EndpointSelector which are allowed to communicate with the
                          endpoint subject to the rule.
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      fromRequires:
                        description: "FromRequires is a list of additional constraints
                          which must be met in order for the selected endpoints to
                          be reachable. These additional constraints do no by itself
                          grant access privileges and must always be accompanied with
                          at least one matching FromEndpoints. \n Example: Any Endpoint
                          with the label \"team=A\" requires consuming endpoint to
                          also carry the label \"team=A\"."
                        items:
                          description: EndpointSelector is a wrapper for k8s LabelSelector.
                          properties:
                            matchExpressions:
                              description: matchExpressions is a list of label selector
                                requirements. The requirements are ANDed.
                              items:
                                description: A label selector requirement is a selector
                                  that contains values, a key, and an operator that
                                  relates the key and values.
                                properties:
                                  key:
                                    description: key is the label key that the selector
                                      applies to.
                                    type: string
                                  operator:
                                    description: operator represents a key's relationship
                                      to a set of values. Valid operators are In,
                                      NotIn, Exists and DoesNotExist.
                                    enum:
                                    - In
                                    - NotIn
                                    - Exists
                                    - DoesNotExist
                                    type: string
                                  values:
                                    description: values is an array of string values.
                                      If the operator is In or NotIn, the values array
                                      must be non-empty. If the operator is Exists
                                      or DoesNotExist, the values array must be empty.
                                      This array is replaced during a strategic merge
                                      patch.
                                    items:
                                      type: string
                                    type: array
                                required:
                                - key
                                - operator
                                type: object
                              type: array
                            matchLabels:
                              additionalProperties:
                                description: MatchLabelsValue represents the value
                                  from the MatchLabels {key,value} pair.
                                maxLength: 63
                                pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                                type: string
                              description: matchLabels is a map of {key,value} pairs.
                                A single {key,value} in the matchLabels map is equivalent
                                to an element of matchExpressions, whose key field
                                is "key", the operator is "In", and the values array
                                contains only "value". The requirements are ANDed.
                              type: object
                          type: object
                        type: array
                      icmps:
                        description: "ICMPs is a list of ICMP rule identified by type
                          number which the endpoint subject to the rule is not allowed
                          to receive connections on. \n Example: Any endpoint with
                          the label \"app=httpd\" can not accept incoming type 8 ICMP
                          connections."
                        items:
                          description: ICMPRule is a list of ICMP fields.
                          properties:
                            fields:
                              description: Fields is a list of ICMP fields.
                              items:
                                description: ICMPField is a ICMP field.
                                properties:
                                  family:
                                    default: IPv4
                                    description: Family is a IP address version. Currently,
                                      we support `IPv4` and `IPv6`. `IPv4` is set
                                      as default.
                                    enum:
                                    - IPv4
                                    - IPv6
                                    type: string
                                  type:
                                    description: Type is a ICMP-type. It should be
                                      0-255 (8bit).
                                    maximum: 255
                                    minimum: 0
                                    type: integer
                                required:
                                - type
                                type: object
                              type: array
                          type: object
                        type: array
                      toPorts:
                        description: "ToPorts is a list of destination ports identified
                          by port number and protocol which the endpoint subject to
                          the rule is not allowed to receive connections on. \n Example:
                          Any endpoint with the label \"app=httpd\" can not accept
                          incoming connections on port 80/tcp."
                        items:
                          description: PortDenyRule is a list of ports/protocol that
                            should be used for deny policies. This structure lacks
                            the L7Rules since it's not supported in deny policies.
                          properties:
                            ports:
                              description: Ports is a list of L4 port/protocol
                              items:
                                description: PortProtocol specifies an L4 port with
                                  an optional transport protocol
                                properties:
                                  port:
                                    description: Port is an L4 port number. For now
                                      the string will be strictly parsed as a single
                                      uint16. In the future, this field may support
                                      ranges in the form "1024-2048 Port can also
                                      be a port name, which must contain at least
                                      one [a-z], and may also contain [0-9] and '-'
                                      anywhere except adjacent to another '-' or in
                                      the beginning or the end.
                                    pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$
                                    type: string
                                  protocol:
                                    description: "Protocol is the L4 protocol. If
                                      omitted or empty, any protocol matches. Accepted
                                      values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"
                                      \n Matching on ICMP is not supported. \n Named
                                      port specified for a container may narrow this
                                      down, but may not contradict this."
                                    enum:
                                    - TCP
                                    - UDP
                                    - SCTP
                                    - ANY
                                    type: string
                                required:
                                - port
                                type: object
                              type: array
                          type: object
                        type: array
                    type: object
                  type: array
                labels:
                  description: Labels is a list of optional strings which can be used
                    to re-identify the rule or to store metadata. It is possible to
                    lookup or delete strings based on labels. Labels are not required
                    to be unique, multiple rules can have overlapping or identical
                    labels.
                  items:
                    description: Label is the Cilium's representation of a container
                      label.
                    properties:
                      key:
                        type: string
                      source:
                        description: 'Source can be one of the above values (e.g.:
                          LabelSourceContainer).'
                        type: string
                      value:
                        type: string
                    required:
                    - key
                    type: object
                  type: array
                nodeSelector:
                  description: NodeSelector selects all nodes which should be subject
                    to this rule. EndpointSelector and NodeSelector cannot be both
                    empty and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: A label selector requirement is a selector that
                          contains values, a key, and an operator that relates the
                          key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: operator represents a key's relationship
                              to a set of values. Valid operators are In, NotIn, Exists
                              and DoesNotExist.
                            enum:
                            - In
                            - NotIn
                            - Exists
                            - DoesNotExist
                            type: string
                          values:
                            description: values is an array of string values. If the
                              operator is In or NotIn, the values array must be non-empty.
                              If the operator is Exists or DoesNotExist, the values
                              array must be empty. This array is replaced during a
                              strategic merge patch.
                            items:
                              type: string
                            type: array
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                    matchLabels:
                      additionalProperties:
                        description: MatchLabelsValue represents the value from the
                          MatchLabels {key,value} pair.
                        maxLength: 63
                        pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$
                        type: string
                      description: matchLabels is a map of {key,value} pairs. A single
                        {key,value} in the matchLabels map is equivalent to an element
                        of matchExpressions, whose key field is "key", the operator
                        is "In", and the values array contains only "value". The requirements
                        are ANDed.
                      type: object
                  type: object
              type: object
            type: array
          status:
            description: "Status is the status of the Cilium policy rule. \n The reason
              this field exists in this structure is due a bug in the k8s code-generator
              that doesn't create a `UpdateStatus` method because the field does not
              exist in the structure."
            properties:
              derivativePolicies:
                additionalProperties:
                  description: CiliumNetworkPolicyNodeStatus is the status of a Cilium
                    policy rule for a specific node.
                  properties:
                    annotations:
                      additionalProperties:
                        type: string
                      description: Annotations corresponds to the Annotations in the
                        ObjectMeta of the CNP that have been realized on the node
                        for CNP. That is, if a CNP has been imported and has been
                        assigned annotation X=Y by the user, Annotations in CiliumNetworkPolicyNodeStatus
                        will be X=Y once the CNP that was imported corresponding to
                        Annotation X=Y has been realized on the node.
                      type: object
                    enforcing:
                      description: Enforcing is set to true once all endpoints present
                        at the time the policy has been imported are enforcing this
                        policy.
                      type: boolean
                    error:
                      description: Error describes any error that occurred when parsing
                        or importing the policy, or realizing the policy for the endpoints
                        to which it applies on the node.
                      type: string
                    lastUpdated:
                      description: LastUpdated contains the last time this status
                        was updated
                      format: date-time
                      type: string
                    localPolicyRevision:
                      description: Revision is the policy revision of the repository
                        which first implemented this policy.
                      format: int64
                      type: integer
                    ok:
                      description: OK is true when the policy has been parsed and
                        imported successfully into the in-memory policy repository
                        on the node.
                      type: boolean
                  type: object
                description: DerivativePolicies is the status of all policies derived
                  from the Cilium policy
                type: object
              nodes:
                additionalProperties:
                  description: CiliumNetworkPolicyNodeStatus is the status of a Cilium
                    policy rule for a specific node.
                  properties:
                    annotations:
                      additionalProperties:
                        type: string
                      description: Annotations corresponds to the Annotations in the
                        ObjectMeta of the CNP that have been realized on the node
                        for CNP. That is, if a CNP has been imported and has been
                        assigned annotation X=Y by the user, Annotations in CiliumNetworkPolicyNodeStatus
                        will be X=Y once the CNP that was imported corresponding to
                        Annotation X=Y has been realized on the node.
                      type: object
                    enforcing:
                      description: Enforcing is set to true once all endpoints present
                        at the time the policy has been imported are enforcing this
                        policy.
                      type: boolean
                    error:
                      description: Error describes any error that occurred when parsing
                        or importing the policy, or realizing the policy for the endpoints
                        to which it applies on the node.
                      type: string
                    lastUpdated:
                      description: LastUpdated contains the last time this status
                        was updated
                      format: date-time
                      type: string
                    localPolicyRevision:
                      description: Revision is the policy revision of the repository
                        which first implemented this policy.
                      format: int64
                      type: integer
                    ok:
                      description: OK is true when the policy has been parsed and
                        imported successfully into the in-memory policy repository
                        on the node.
                      type: boolean
                  type: object
                description: Nodes is the Cilium policy status for each node
                type: object
            type: object
        required:
        - metadata
        type: object
    served: true
    storage: true
    subresources:
      status: {}
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
